New OriginLogger RAT examined

The Hacker News reports that the OriginLogger malware has emerged as the successor of the popular Agent Tesla remote access trojan after its shutdown in March 2019. OriginLogger, initially tagged as Agent Tesla version 3, was discovered by Palo Alto Networks' Unit 42 to be uploaded to VirusTotal on May 17, 2022, after finding a YouTube video dated November 2018 that explained its features. Threat actors could use OriginLogger's builder binary executable to personalize data types to be captured and the sources from which data could be exfiltrated, according to Unit 42. Both OriginLogger and Agent Tesla have been distributed through a malicious Microsoft Word document, which shows a German citizen's passport image and credit card, as well as several Excel worksheets. Such worksheets were observed to have a VBA macro that facilitates the retrieval of a remote server-hosted HTML page that features an obfuscated JavaScript code that could then fetch two pieces of malware, the first of which leverages process hollowing to enable OriginLogger injection. "The malware uses tried and true methods and includes the ability to keylog, steal credentials, take screenshots, download additional payloads, upload your data in a myriad of ways and attempt to avoid detection," said Unit 42 researcher Jeff White.