Security News > 2023 > September > Sophisticated Phishing Campaign Deploying Agent Tesla, OriginBotnet, and RedLine Clipper

A sophisticated phishing campaign is using a Microsoft Word document lure to distribute a trifecta of threats, namely Agent Tesla, OriginBotnet, and OriginBotnet, to gather a wide range of information from compromised Windows machines.

"A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA to lure the recipient into clicking on it," Fortinet FortiGuard Labs researcher Cara Lin said.

Clicking on the image leads to the delivery of a loader from a remote server that, in turn, is designed to distribute OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information.

Agent Tesla, on the other hand, is a.NET-based remote access trojan and data stealer for gaining initial access and exfiltrating sensitive information such as keystrokes and login credentials used in web browsers to a command-and-control server over SMTP protocol.

It's worth noting that Palo Alto Networks Unit 42, in September 2022, detailed an Agent Tesla successor called OriginLogger, which comes with similar features as that of OriginBotnet, suggesting that they could be both the work of the same threat actor.

"It began with a malicious Word document distributed via phishing emails, leading victims to download a loader that executed a series of malware payloads. The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems."

News URL

https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html