Palo Alto Networks Unit 42 has the insides of a malware called ” OriginLoggerknown as the successor to the widespread information stealing and remote access Trojan (RAT). Agent Tesla.
A .NET-based keylogger and remote access agent, Agent Tesla has long been present in the threat landscape, allowing malicious actors to remotely gain access to targeted systems and send sensitive information to an actor-controlled domain.
Known for being used in the wild since 2014, it is offered for sale on dark web forums and is generally distributed via malicious spam emails as attachments.
In February 2021, cybersecurity company Sophos released two new variants of the commodity malware (versions 2 and 3) that had the ability to steal credentials from web browsers, email apps, and VPN clients, and used the Telegram API for Command- and control to use .
Well, according to Unit 42 researcher Jeff White, what has been labeled as Agent Tesla Version 3 actually is OriginLoggerwhich allegedly arose to fill the void left by the former after its operators closed down on March 4, 2019 following legal troubles.
The starting point of the investigations of the cyber security company was a YouTube video which was released in November 2018 and details its features, which led to the discovery of a malware sample (“OriginLogger.exe“) uploaded to VirusTotal malware database on May 17, 2022.
The executable is a builder binary that allows a purchased customer to specify the type of data to collect, including the clipboard, screenshots, and the list of applications and services (e.g. browsers, email clients, etc.) , from which the credentials are supposed to come.
User authentication is achieved by sending a request to an OriginLogger server, which resolves to the domain names 0xfd3[.]com and its newer counterpart originpro[.]me based on two builder artifacts assembled on September 6, 2020 and June 29, 2022.
Unit 42 said it was able to identify a GitHub profile with username 0xfd3 hosting two source code repositories for stealing passwords from Google Chrome and Microsoft Outlook, both used in OrionLogger.
OrionLogger, like Agent Tesla, will have a Bait Microsoft Word document which, when opened, should display an image of a passport for a German citizen and a credit card, along with a series of Excel worksheets embedded in it.
The first of the two pieces of malware is a loader that uses the technique of Process hollowing to inject the second executable, the OrionLogger payload, into the aspnet_compiler.exe processa legitimate utility for precompiling ASP.NET applications.
“Using tried and tested methods, the malware includes the ability to use keylog, steal credentials, take screenshots, download additional payloads, upload your data in myriad ways, and attempt to evade detection,” White said.
Furthermore, an analysis of a corpus of over 1,900 samples shows that the most common exfiltration mechanisms for sending the data back to the attacker are via SMTP, FTP, web uploads to the OrionLogger panel, and Telegram with the help of 181 unique bots.
“Commercial keyloggers have historically targeted less advanced attackers, but as illustrated in the first decoy document analyzed here, that doesn’t make attackers less able to use multiple tools and services to obfuscate and complicate the analysis,” said White on.