Fortinet FortiGuard Labs [2], a team of security researchers, has recently discovered a sophisticated multi-stage malware attack that specifically targets Windows systems.
Description
The attack begins with a phishing email containing a Word document attachment [1] [2] [3] [5]. Clicking on a blurred image in the document leads to the delivery of a loader from a remote server [2] [3]. This loader is designed to distribute multiple malware payloads [2] [3], including OriginBotnet for keylogging and password recovery [2] [3] [5], RedLine Clipper for cryptocurrency theft [1] [2] [3] [5], and Agent Tesla for harvesting sensitive information [2] [3] [5].
To ensure the loader remains undetected, it cleverly uses binary padding. Once activated [1] [2] [3], the loader establishes persistence on the host and extracts a dynamic-link library (DLL) responsible for unleashing the final payloads [2] [3]. RedLine Clipper specializes in stealing cryptocurrencies by tampering with the user’s system clipboard [1] [2] [3] [4], while Agent Tesla is a remote access trojan (RAT) and data stealer [2] [3].
In addition to these payloads, the attack also delivers a new malware called OriginBotnet [3], which collects data [3], communicates with a command-and-control server [1] [3] [5], and downloads plugins for keylogging and password recovery [3]. OriginBotnet scans running processes [4], collects system information [4], and communicates with a C2 server via encrypted messages [4].
The campaign demonstrates sophisticated techniques to evade detection and maintain persistence on compromised systems [2] [3]. Organizations are strongly advised to enhance their cybersecurity defenses and educate employees about the risks associated with phishing emails. By doing so, organizations can better protect themselves from these sophisticated malware attacks.
Conclusion
This multi-stage malware attack targeting Windows systems poses a significant threat to organizations. It highlights the need for enhanced cybersecurity defenses and employee education to mitigate the risks associated with phishing emails. As attackers continue to develop sophisticated techniques, organizations must remain vigilant and proactive in their efforts to protect sensitive information and prevent future attacks.
References
[1] https://flyytech.com/2023/09/12/windows-systems-targeted-in-multi-stage-malware-attack/
[2] https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html
[3] https://www.redpacketsecurity.com/sophisticated-phishing-campaign-deploying-agent-tesla-originbotnet-and-redline-clipper/
[4] https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document
[5] https://www.infosecurity-magazine.com/news/windows-targeted-multi-stage/
