OriginBotnet, RedLine Clipper, and AgentTesla Distributed Via Phishing Emails

12-Sep-23

A recent email phishing scam that deceives users into downloading a malware loader was found by FortiGuard Labs. The payloads of the loader include AgentTesla, RedLine Clipper, and OriginBotnet (for keylogging and password recovery). This loader employs a binary padding evasion technique that includes the addition of null bytes to make the file appear to be 400 MB or larger.



To trick the receiver into clicking on it and activating a malicious link embedded in a Word document, the phishing email contains a malicious Word document with a blurred image and a false reCAPTCHA. Following that, the malware loader goes through a number of stages, including decoding resource data, establishing persistence, decrypting a PowerShell command, duplicating files for automatic starting, executing methods from decrypted DLLs, and causing the execution of other files.

Read More…