Select Page

Palo Alto Networks Unit 42 has detailed the inner workings of a malware called OriginLogger, which has been touted as a successor to the widely used information stealer and remote access trojan (RAT) known as Agent Tesla.

A .NET based keylogger and remote access, Agent Tesla has had a long-standing presence in the threat landscape, allowing malicious actors to gain remote access to targeted systems and beacon sensitive information to an actor-controlled domain.

Known to be used in the wild since 2014, it’s advertised for sale on dark web forums and is generally distributed through malicious spam emails as an attachment.

In February 2021, cybersecurity firm Sophos disclosed two new variants of the commodity malware (version 2 and 3) that featured capabilities to steal credentials from web browsers, email apps, and VPN clients, as well as use Telegram API for command-and-control.

Now according to Unit 42 researcher Jeff White, what has been tagged as Agent Tesla version 3 is actually OriginLogger, which is said to have sprung up to fill the void left by the former after its operators shut shop on March 4, 2019, following legal troubles.

images from Hacker News