OriginLogger Picks Up Where Agent Tesla Left Off To Record Your Activities
OriginLogger is the name of a newly discovered malicious tool. A detailed report on the malware was recently published by a research team with the Unit 42 division of Palo Alto Networks.
OriginLogger has been advertised as the next evolution of the older Agent Tesla malware. Agent Tesla has been around for nearly a decade. Coded using .NET, Agent Tesla went through two previous evolutionary updates.
The newest incarnation and third major update is OriginLogger - a piece of malware that combines keylogger and infostealer functionality. The malware is sold as a customizable builder binary, allowing hackers who purchased the malware to specify the type of information they want scraped from targeted systems, as well as the list of applications that OriginLogger will attempt to scrape for credentials as well.
The usual distribution method used by OriginLogger is rather convoluted. A malicious Word file will contain a couple of images and embedded Excel sheets in it. The embedded Excel elements have malicious Virtual Basic macros in them that open a remote web page. The page's code has a chunk of obfuscated JavaScript on it, which finally grabs two encoded binary files.
OriginLogger is deployed on the victim system through process hollowing, injecting the final payload into a legitimate process.