More malicious attachments found by researchers

Share post:

Attachments continue to be an effective way of delivering malware as long as employees miss vital clues. Two examples detailed by researchers at Fortinet demonstrate the latest techniques of threat actors that can be shown to staff as part of security awareness training.

The first is a Word document containing a malicious URL designed to entice victims to download a malware loader. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for stealing cryptocurrency on a victim’s computer and AgentTesla for harvesting sensitive information.

The example found by Fortinet is a financial document, but an attacker could use any tactic: A resume, a request for proposal, etc. Clicking on the Word document results in the display of a deliberately blurred image to convince the recipient there is a document to be seen if they also click on a counterfeit  but standard-looking reCAPTCHA challenge that says “I am not a robot.” That starts a process for loading the malware.

Screen shot of blurred document that shows up when a victim clicks on it
This blurred image and re:Captcha form pops up when document is clicked on. Image from Fortinet

RedLine Clipper, also known as ClipBanker, steals cryptocurrencies by manipulating the user’s system clipboard activities to substitute the destination wallet address with one belonging to the attacker. Due to the complexity of digital wallet addresses, users often copy and paste them during transactions.

Agent Tesla can log keystrokes, access the host’s clipboard, and conduct disk scans to uncover credentials and other valuable data. It transmits gathered information to a Command and Control (C2) server through several communication channels, including HTTP(S), SMTP, FTP, or even by dispatching it to a designated Telegram channel.

OriginBotnet has a range of capabilities including collecting sensitive data, establishing communications with its C2 server, and downloading additional files from the server to execute keylogging or password recovery functions on compromised computers.

The second example is a file the researchers obtained that they assume was an attachment because it purports to be a list of company officers. The email message might have claimed to be a corporate instruction for employees. The format of this attachment is a compressed .RAR file. Clicking on it reveals two components: A PDF named “Notice to Work-From-Home groups.” If a victim clicks on it, an image of an error message pops up that falsely indicates that the PDF document failed to load.

Screen shot of decoy error message
This error message is a diversion

This is actually a decoy, according to Fortinet, that is supposed to encourage the victim to click on the second file, “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe.” For staff who have good awareness training, this file’s .exe extension should be a warning that it not be clicked on. That assumes the full file name shows. However, the report notes, by default Windows doesn’t show full file names. The threat actor uses this knowledge in hopes of disguising the file so the victim will think it’s a PDF and not a file that executes.

The purpose of this file is to act as a dropper for several pieces of malware.

Cybersecurity experts say that employee awareness training is vital to a broad defence strategy. Including examples is one way to help them learn.

The post More malicious attachments found by researchers first appeared on IT World Canada.
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

Featured Tech Jobs


Related articles

Cyber Security Today, Week in Review for week ending Friday April 19, 2024

On this episode Jen Ellis, co-chair of the Ransomware Task Force, talks about ways of fighting one of the biggest cyber threats to IT d

Cyber Security Today, April 19, 2024 – Police bust phishing rental platform, a nine-year old virus found on Ukrainian computers, and more

This episode reports on a threat actor targeting governments in the Middle East with a novel way of hiding malware is going international

Controversial expansion of US surveillance powers nears Senate vote

The US Senate is poised to vote on a significant expansion of Section 702 of the Foreign Intelligence...

Russian-linked hackers target U.S. and European water systems

A Russian military-affiliated hacking group, Sandworm, is suspected of coordinating recent cyberattacks on water utilities in the U.S.,...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways