OriginBotnet Spreads via Malicious Word Document | FortiGuard Labs

MITRE Techniques

• [T1566.001] Phishing – A phishing email delivers the Word document as an attachment and uses a blurred image/ counterfeit recaptcha to lure the recipient into clicking on it. ‘A phishing email delivers the Word document as an attachment, presenting a deliberately blurred image and a counterfeit reCAPTCHA (Figure 2) to lure the recipient into clicking on it.’
• [T1027] Obfuscated/Compressed Files and Information – The loader uses a binary padding evasion strategy and XOR/AES to decrypt resources. ‘The initial loader was acquired from … It uses an XOR operation with the string … and then ‘Activator.CreateInstance()’ to execute the decoded information. The decoding procedure is shown in Figure 4.’
• [T1547.001] Boot or Logon Autostart Execution – Persistence is achieved by duplicating the EXE into the Startup directory so it runs on startup. ‘it duplicates the EXE file into the directory “%AppData%MicrosoftWindowsStart MenuProgramsStartup” … to ensure that the file runs automatically even if the victim restarts their device.’
• [T1059.001] Windows PowerShell – A PowerShell command is used for persistence within the loader chain. ‘PowerShell command for persistence in “Main Project.dll”.’
• [T1082] System Information Discovery – OriginBotnet gathers device details ( Antivirus, CPU, GPU, country, OS name, username) before contacting C2. ‘gathers essential information about the victim’s device, such as the installed AntiVirus Product, CPU, GPU, country, OS name, and username.’
• [T1115] Clipboard Data – RedLine Clipper monitors the clipboard to intercept and potentially replace cryptocurrency addresses. ‘OnClipboardChangeEventHandler to regularly monitor clipboard changes …’
• [T1555.003] Credentials from Web Browsers – Agent Tesla’s PasswordRecovery targets browser/software credentials and reports them via HTTP POST. ‘retrieves and organizes the credentials of various browser and software accounts. It records these results and reports them via HTTP POST requests.’
• [T1059.003] Windows Command Shell – The loader uses Process.Start to run downloaded files and may invoke commands like msiexec.exe /I or java.exe -jar. ‘It may involve using “Process.Start” or invoking commands such as “msiexec.exe /I” or “java.exe -jar.”’
• [T1071.001] Web Protocols – C2 communications occur via HTTP POST with encryption. ‘The communication is conducted via a POST request … TripleDES encryption … encoded in Base64.’
• [T1056.001] Input Capture: Keylogging – OriginBotnet’s Keylogger plugin records keystrokes and monitors active windows. ‘The Keylogger plugin … uses techniques such as “SetWindowsHookEx” for capturing keyboard input events …’
• [T1056.001] Clipboard Data (secondary) – RedLine Clipper also monitors clipboard for data extraction, supporting multiple currencies. ‘Clipboard text content through “SetClipboardViewer.”’
• [T1555.001] Credentials from Password Stores (PasswordRecovery scope) – Agent Tesla enumerates and retrieves credentials from a wide range of browsers and apps. ‘The plugin is designed to target the following browsers and software applications:’