More malicious attachments found by researchers

Share post:

Attachments continue to be an effective way of delivering malware as long as employees miss vital clues. Two examples detailed by researchers at Fortinet demonstrate the latest techniques of threat actors that can be shown to staff as part of security awareness training.

The first is a Word document containing a malicious URL designed to entice victims to download a malware loader. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for stealing cryptocurrency on a victim’s computer and AgentTesla for harvesting sensitive information.

The example found by Fortinet is a financial document, but an attacker could use any tactic: A resume, a request for proposal, etc. Clicking on the Word document results in the display of a deliberately blurred image to convince the recipient there is a document to be seen if they also click on a counterfeit  but standard-looking reCAPTCHA challenge that says “I am not a robot.” That starts a process for loading the malware.

Screen shot of blurred document that shows up when a victim clicks on it
This blurred image and re:Captcha form pops up when document is clicked on. Image from Fortinet

RedLine Clipper, also known as ClipBanker, steals cryptocurrencies by manipulating the user’s system clipboard activities to substitute the destination wallet address with one belonging to the attacker. Due to the complexity of digital wallet addresses, users often copy and paste them during transactions.

Agent Tesla can log keystrokes, access the host’s clipboard, and conduct disk scans to uncover credentials and other valuable data. It transmits gathered information to a Command and Control (C2) server through several communication channels, including HTTP(S), SMTP, FTP, or even by dispatching it to a designated Telegram channel.

OriginBotnet has a range of capabilities including collecting sensitive data, establishing communications with its C2 server, and downloading additional files from the server to execute keylogging or password recovery functions on compromised computers.

The second example is a file the researchers obtained that they assume was an attachment because it purports to be a list of company officers. The email message might have claimed to be a corporate instruction for employees. The format of this attachment is a compressed .RAR file. Clicking on it reveals two components: A PDF named “Notice to Work-From-Home groups.” If a victim clicks on it, an image of an error message pops up that falsely indicates that the PDF document failed to load.

Screen shot of decoy error message
This error message is a diversion

This is actually a decoy, according to Fortinet, that is supposed to encourage the victim to click on the second file, “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe.” For staff who have good awareness training, this file’s .exe extension should be a warning that it not be clicked on. That assumes the full file name shows. However, the report notes, by default Windows doesn’t show full file names. The threat actor uses this knowledge in hopes of disguising the file so the victim will think it’s a PDF and not a file that executes.

The purpose of this file is to act as a dropper for several pieces of malware.

Cybersecurity experts say that employee awareness training is vital to a broad defence strategy. Including examples is one way to help them learn.

The post More malicious attachments found by researchers first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.


Related articles

Security research team claims to have helped avert a major supply chain attack

JFrog Security Research team continuously scans public repositories such as Docker Hub, NPM, and PyPI to identify malicious...

Phishing attacks on state and local governments surge by 360%

Phishing attacks targeting state and local governments have surged by 360% between May 2023 and May 2024, according...

What is Ticketmaster saying to its customers?

Here's the letter that has been sent out out to Ticketmaster clients that a reader sent to me....

Cyber Security Today, July 8, 2024 – New ransomware group discovered, and summer podcast break starts

A new ransomware group is discovered. Welcome to Cyber Security Today. It's Monday July 8th, 2024. I'm Howard Solomon,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways