Originbotnet Spreads Via Malicious Word Document
Fortinet News , Monday, September 11,2023
In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file's size to 400 MB.
The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information. Figure 1 illustrates the comprehensive attack flow.
In this blog, we examine the various stages of how the file is deployed and delve into the specifics of the malware it delivers.