Researchers talk in detail about the OriginLogger RAT, the successor to the Tesla malware agent

Division 42 of Palo Alto Networks detailed the inner workings of a malware called Origin Logger, which was touted as the successor to a widely used information hijacker and a well-known remote access trojan (RAT) called AgentTesla.

A .NET-based keylogger and remote access, Tesla Agent has long been present in the threat landscape, allowing attackers to remotely access targeted systems and sensitive beacon information in an attacker-controlled domain.

It has been known to be used in the wild since 2014, advertised for sale on darknet forums, and commonly distributed through malicious spam email attachments.

– Advertising – cybersecurity

Now, according to Unit 42 researcher Geoff White, what has been labeled Agent Tesla Version 3 is actually the original Recorder, which supposedly came into being to fill the void left by the former after its operators shut down on March 4, 2019. legal problems.

The starting point for the cybersecurity company’s investigation was a Youtube video released in November 2018 detailing its features, leading to the discovery of a malware sample (“OriginLogger.exe”) that was uploaded to the VirusTotal 17 malware database May 2022. .

The executable is a binary assembly that allows the customer to specify the types of data to capture, including the clipboard, screenshots, and a list of applications and services (such as browsers, email clients, etc.) from which credentials should be extracted.

OriginLogger RAT

User authentication is achieved by sending a request to the OriginLogger server, which resolves 0xfd3 domain names.[.]com and its new analogue originpro[.]me based on two builder artifacts collected on September 6, 2020 and June 29, 2022.

Unit 42 stated that it was able to identify a GitHub profile with username 0xfd3 that hosted two source code repositories for stealing Google Chrome and Microsoft Outlook passwords that are used in OrionLogger.

The OrionLogger, like Agent Tesla, is delivered via a decoy Microsoft Word document that, when opened, is designed to display an image of a German citizen’s passport and credit card, as well as a number of embedded Excel spreadsheets.

The spreadsheets, in turn, contain a VBA macro that uses MSHTA to call an HTML page hosted on a remote server, which in turn includes obfuscated JavaScript code to retrieve two encoded binaries hosted on Bitbucket.


The first of the two pieces of malware is a loader that uses the hollow process method to inject a second executable, the OrionLogger payload, into the aspnet_compiler.exe process, a legitimate utility for precompiling ASP.NET applications.

“The malware uses proven methods and includes the ability to inject keys, steal credentials, take screenshots, download additional payloads, download your data in multiple ways, and try to avoid detection,” White said.

In addition, analysis of a corpus of over 1900 samples shows that the most common exfiltration mechanisms for sending data to an attacker are SMTP, FTP, web uploads to the OrionLogger panel and Telegram using 181 unique robots.

“Commercial keyloggers have historically responded to less advanced attackers, but as shown in the original honeypot document analyzed here, this does not preclude attackers from using multiple tools and services to obfuscate and complicate analysis,” White added.

Back to top button

Adblock Detected

Please consider supporting us by disabling your ad blocker.