Advisory ID: NCC-CSIRT-180923-035
Summary: Cara Lin, a researcher at Fortinet FortiGuard, has detected an advanced phishing campaign. This campaign involves the use of malicious Word documents distributed through phishing emails. These documents lead victims to download a loader, which is a program responsible for preparing an application for execution by the operating system. Once executed, this loader triggers a sequence of malware payloads. The attack exhibits sophisticated methods designed to evade detection and ensure a lasting presence on compromised systems.
Threat Type(s): Phishing and Malware
Impact/Vulnerability: HIGH/CRITICAL
Product(s): Windows Devices
Platform(s): Windows Operating Systems
Version(s): All Versions
Description: As stated by the researcher, a phishing email is utilized to deliver the Word document as an attachment. This document includes a malicious URL intended to persuade victims to download a malware loader. This loader employs a binary padding evasion technique, which involves adding null bytes to increase the file size to 400 MB. Additionally, the Word document incorporates a deliberately blurred image and a counterfeit reCAPTCHA to entice the recipient into clicking on it. Clicking on the image initiates the retrieval of a loader from a remote server. This loader is specifically designed to disseminate various malware, including OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, enabling it to collect a wide array of data from compromised Windows machines. Moreover, it deploys malware known as AgentTesla, which specializes in harvesting sensitive information.
Consequences: Remote attackers steal credentials, sensitive information, and cryptocurrency.
Solution:
- Avoid suspicious links and URLs
- Be wary of emails containing malicious attachments
- Use FortiGuard Antivirus as a protection to this phishing campaign
References:
https://thehackernews.com/2023/09/sophisticated-phishing-campaign.html?&web_view=true
https://www.fortinet.com/blog/threat-research/originbotnet-spreads-via-malicious-word-document