Unit 42 describes OriginLogger in a new report, detailing its emergence and connection with the Agent Tesla keylogger.
OriginLogger: the new Agent Tesla.
Palo Alto Networks Unit 42 has released a report detailing OriginLogger. On March 4, 2019, well-known keylogger Agent Tesla shut down, but not without first recommending in its Discord server another keylogger known as OriginLogger, saying, “If you want to see a powerful software like Agent Tesla, we would like to suggest you [sic] OriginLogger. OriginLogger is an AT-based software and has all the features.” OriginLogger is a variant of Agent Tesla, sometimes tagged as “Agent Tesla version 3,” which means that tools meant to detect Agent Tesla should also detect OriginLogger.
Jeff White, writer of the report and a researcher at Unit 42, says the functionality of the malware is “fairly standard” and mirrors other Agent Tesla variants. “Just as the threat actors’ advertisements state, the malware uses tried and true methods and includes the ability to keylog, steal credentials, take screenshots, download additional payloads, upload your data in a myriad of ways and attempt to avoid detection,” said White. “Commercial keyloggers have historically catered to less advanced attackers, but as illustrated in the initial lure document analyzed here, this does not make attackers any less capable of using multiple tools and services to obfuscate and make analysis more complicated. Commercial keyloggers should be treated with equal amounts of caution as would be used with any malware.”