This Cybersecurity Threat Advisory focuses on a sophisticated phishing campaign that uses a Microsoft Word document lure to distribute a trio of threats. The threats are Agent Tesla, OriginBotnet, and RedLine Clipper, and are designed to gather a wide range of information from compromised Windows machines.
What is the threat?
A new sophisticated phishing campaign that delivers a Word document as an attachment has been found. The attachment presents a deliberately blurred image and a counterfeit reCAPTCHA to lure recipients into clicking on it. Once the victim clicks the blurred picture, the loader employs a binary padding evasion strategy that adds null bytes to increase the file’s size to 400MB and starts to gather information from the compromised Windows machine.
Why is it noteworthy?
This phishing campaign involves a complex chain of events, beginning with malicious Word documents distributed via phishing emails, leading victims to download a loader that executes a series of malware payloads. This attack demonstrates sophisticated techniques to evade detection and maintain persistence on compromised systems. OriginBotnet is used for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and Agent Tesla for harvesting sensitive information.
What is the exposure or risk?
Due to the sophisticated nature of this phishing campaign, users are at a severe risk if they open these emails, given the malware’s ability to evade detection systems and maintain persistence. Phishing emails that look inviting are always a risk. It is important to educate users on newly discovered phishing campaigns and remind them to remain vigilant when looking through their emails.
What are the recommendations?
Barracuda MSP recommends the following actions to prevent or limit the impact of this phishing campaign:
- Use Barracuda XDR Endpoint Security which includes behavioral scanning to swiftly detect and respond to abnormal files and process behavior.
- Verify URLs on your web filtering service to detect potential ‘Malicious’ ratings.
- Regularly conduct security awareness training to educate employees on recent phishing tactics and how to spot them.
- Segment your network to isolate critical systems and data from less secure areas.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions about this Cybersecurity Threat Advisory, please contact our Security Operations Center.