Phishing campaign uses Word documents to distribute three malware strains
Researchers identified a new phishing campaign that uses Microsoft Word documents to distribute malware that can log what a victim types, siphon cryptocurrency funds, and steal sensitive data.
To get into the victim’s system, the attackers send a phishing email with the malicious Word document as an attachment. Clicking on the attachment activates an embedded malicious link in the file and leads to the delivery of three malware strains known as RedLine Clipper, Agent Tesla, and OriginBotnet, according to a report published Monday by cybersecurity firm Fortinet.
The RedLine Clipper loader steals cryptocurrency by changing a wallet address stored in the victim’s clipboard to the attacker's address. It works with various cryptocurrencies like Bitcoin, Ethereum, Dogecoin, Litecoin, Dashcoin, and Monero.
RedLine Clipper monitors what users copy, particularly focusing on long and complicated wallet addresses, which are hard to type out manually. Once it spots a wallet address, it discreetly swaps it out with the attacker's address without the user knowing.
Agent Tesla, on the other hand, can record keystrokes and compiles a list of specific software installed on the victim's device, including web browsers and email clients.
The third payload, OriginBotnet, can collect sensitive data from the victim's computer, connect to the hackers' control server and download more files from the server to perform tasks like recording keystrokes or recovering passwords on hacked devices.
“The attack demonstrated sophisticated techniques to evade detection and maintain persistence on compromised systems,” the researchers said.
Fortinet hasn’t attributed the attack to any known hacker group.
Daryna Antoniuk is a freelance reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.