Security News > 2022 > September > Researchers Detail OriginLogger RAT — Successor to Agent Tesla Malware

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan known as Agent Tesla.

A.NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain.

In February 2021, cybersecurity firm Sophos disclosed two new variants of the commodity malware that featured capabilities to steal credentials from web browsers, email apps, and VPN clients, as well as use Telegram API for command-and-control.

The cybersecurity firm's starting point for the investigation was a YouTube video that was posted in November 2018 detailing its features, leading to the discovery of a malware sample that was uploaded to the VirusTotal malware database on May 17, 2022.

The worksheets, in turn, contain a VBA macro that uses MSHTA to invoke an HTML page hosted on a remote server, which, for its part, includes an obfuscated JavaScript code to fetch two encoded binaries hosted on Bitbucket.

The first of the two pieces of malware is a loader that utilizes the technique of process hollowing to inject the second executable, the OrionLogger payload, into the aspnet compiler.

News URL

https://thehackernews.com/2022/09/researchers-detail-originlogger-rat.html