More malicious attachments found by researchers

Share post:

Attachments continue to be an effective way of delivering malware as long as employees miss vital clues. Two examples detailed by researchers at Fortinet demonstrate the latest techniques of threat actors that can be shown to staff as part of security awareness training.

The first is a Word document containing a malicious URL designed to entice victims to download a malware loader. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for stealing cryptocurrency on a victim’s computer and AgentTesla for harvesting sensitive information.

The example found by Fortinet is a financial document, but an attacker could use any tactic: A resume, a request for proposal, etc. Clicking on the Word document results in the display of a deliberately blurred image to convince the recipient there is a document to be seen if they also click on a counterfeit  but standard-looking reCAPTCHA challenge that says “I am not a robot.” That starts a process for loading the malware.

Screen shot of blurred document that shows up when a victim clicks on it
This blurred image and re:Captcha form pops up when document is clicked on. Image from Fortinet

RedLine Clipper, also known as ClipBanker, steals cryptocurrencies by manipulating the user’s system clipboard activities to substitute the destination wallet address with one belonging to the attacker. Due to the complexity of digital wallet addresses, users often copy and paste them during transactions.

Agent Tesla can log keystrokes, access the host’s clipboard, and conduct disk scans to uncover credentials and other valuable data. It transmits gathered information to a Command and Control (C2) server through several communication channels, including HTTP(S), SMTP, FTP, or even by dispatching it to a designated Telegram channel.

OriginBotnet has a range of capabilities including collecting sensitive data, establishing communications with its C2 server, and downloading additional files from the server to execute keylogging or password recovery functions on compromised computers.

The second example is a file the researchers obtained that they assume was an attachment because it purports to be a list of company officers. The email message might have claimed to be a corporate instruction for employees. The format of this attachment is a compressed .RAR file. Clicking on it reveals two components: A PDF named “Notice to Work-From-Home groups.” If a victim clicks on it, an image of an error message pops up that falsely indicates that the PDF document failed to load.

Screen shot of decoy error message
This error message is a diversion

This is actually a decoy, according to Fortinet, that is supposed to encourage the victim to click on the second file, “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe.” For staff who have good awareness training, this file’s .exe extension should be a warning that it not be clicked on. That assumes the full file name shows. However, the report notes, by default Windows doesn’t show full file names. The threat actor uses this knowledge in hopes of disguising the file so the victim will think it’s a PDF and not a file that executes.

The purpose of this file is to act as a dropper for several pieces of malware.

Cybersecurity experts say that employee awareness training is vital to a broad defence strategy. Including examples is one way to help them learn.

The post More malicious attachments found by researchers first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Liberals to add ‘fundamental right to privacy’ to proposed law, but no details yet

As committee hearing start the Innovation minister promises changes to privacy law to meet complaints. Details to fo

Cyber Security Today, Sept. 27 2023 – Hackers are targeting luxury hotels, a Red Cross scam and more

This episode reports on phishing campaigns against the hospitality sector, a new ransomware operato

Ransomware attacks on U.S. public sector at record high

Ransomware attacks on the U.S. public sector are on track to reach record levels in 2023, with both...

APT hacking group AtlasCross targets organizations

A new advanced persistent threat (APT) hacking group named AtlasCross has been discovered targeting organizations with phishing lures...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways