Windows Systems Targeted in Multi-Stage Malware Attack

Written by

A multi-stage malware attack has recently come to light, with Windows systems as its primary target, according to security researchers at Fortinet.

This campaign, discovered in August, employs a series of malicious tactics capable of compromising organizations in several ways.

According to a technical blog post published by Fortinet security expert Cara Lin on Monday, the attack begins with a phishing email, delivering a malicious Word document as an attachment. This document contains a deceptive image and a counterfeit reCAPTCHA to lure recipients into clicking. Once activated, the document triggers an embedded malicious link, setting the stage for the attack’s progression.

The initial loader, downloaded from a specific URL, deploys a binary padding evasion strategy, increasing the file size to 400 MB. It then unleashes a series of payloads, including OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft and AgentTesla for harvesting sensitive information.

Read more on AgentTesla: Lokibot, AgentTesla Grow in January 2023's Most Wanted Malware List

Lin explained that each attack stage is meticulously orchestrated to maintain persistence and evade detection. The malware employs encryption and decryption techniques, utilizing Base64 encoding, AES-CBC and AES-ECB algorithms to conceal its activities.

RedLine Clipper, one of the malicious components, specializes in cryptocurrency theft by altering the user’s system clipboard activities to replace cryptocurrency wallet addresses with those belonging to the attacker. This tactic preys on users who copy and paste wallet addresses during transactions, leading to the accidental transfer of funds to the attacker.

AgentTesla, another malware variant, is designed to log keystrokes, access the clipboard and scan disks for valuable data, all while communicating with a command-and-control (C2) server. It establishes persistence and can exfiltrate data via various communication channels.

OriginBotnet, the third component, collects sensitive data and communicates with its C2 server, downloading additional files for keylogging and password recovery. It employs encryption techniques to obfuscate its traffic.

“The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems,” Lin warned.

Organizations are urged to remain vigilant, bolster their cybersecurity defenses and educate employees on the dangers of phishing emails to mitigate their risk effectively.

Editorial image credit: rawf8 /

What’s hot on Infosecurity Magazine?