In August, FortiGuard Labs obtained a Word document containing a malicious URL designed to entice victims to download a malware loader. This loader employs a binary padding evasion strategy that adds null bytes to increase the file’s size to 400 MB. The payloads of this loader include OriginBotnet for keylogging and password recovery, RedLine Clipper for cryptocurrency theft, and AgentTesla for harvesting sensitive information.
In this blog, FortiGuard Labs researchers examine the various stages of how the file is deployed and delve into the specifics of the malware it delivers.
Source: FortiGuard Labs