[MART] - Daily Diary #594 - OriginLogger, Agent Tesla's Successor

ctas-mat at appgate.com ctas-mat at appgate.com
Wed Sep 14 20:44:36 UTC 2022


I hope everyone is doing well!

Below is the entry for today.

09/14/2022 - Diary entry #594:

First covered in our Daily Diary #92, Agent Tesla is a .NET Remote Access Trojan that worked as a keylogger and information stealer. Offered as a Malware-as-a-Service, Agent Tesla shut down its business at the beginning of 2019 and recommended people switch over to a new keylogger, suggesting an Agent Tesla variant called OriginLogger. Since then, OriginLogger has been detected as AgentTesla version 3 by security products.

OriginLogger is active since August 29, 2018, when its first version was spotted being commercialized on websites shared on Telegram groups. Offered with 3-month or 6-months plans (for $60, $75 U.S. dollars respectively) and also a lifetime license of $90 (USD) - all of them sold using cryptocurrency or a P2P payment system.

With the same features as its predecessor, OriginLogger has the ability to log keystrokes, steal credentials from a myriad of installed services/programs, take screenshots, download additional payloads, and exfiltrate data via a web server, SMTP, or FTP.

Both Agent Tesla and OriginLogger samples are collected by our team’s automated processes, and we have been monitoring criminals using those malwares in their campaigns to exfiltrate data from victims all over the world. After infecting the victims, the threat actors start monitoring their activities, looking for sensitive data that can be leveraged by them. They also use an Email marketing software known as Gammadyne Mailer to massively spam their malware to other victims using stolen email credentials.

Besides the underlying potential OriginLogger and other Malware-as-a-service have, we believe that those campaigns have the dangerous capability of being used to sell initial access within organizations to other groups such as Ransomware operators, spammers, or even cyber-espionage groups.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>


Malware Analysis and Research Team

E: ctas-mat at appgate.com<mailto:ctas-mat at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220914/b924b4c8/attachment.htm>

More information about the MART mailing list