CyberSecurity news
FlagThis
@unit42.paloaltonetworks.com
//
A new multi-stage malware attack has been identified, deploying a range of malware families including Agent Tesla, Remcos RAT, and XLoader. This intricate attack chain employs multiple execution paths, designed to evade detection, bypass traditional sandboxes, and ensure the successful delivery and execution of malicious payloads. Attackers are increasingly relying on these complex delivery mechanisms to compromise systems.
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload.
The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection.
ImgSrc: media.infosec.e
References :
This campaign, observed in December 2024, begins with phishing emails disguised as order release requests, enticing recipients to open malicious archive attachments. These attachments contain JavaScript encoded (.JSE) files, which initiate the infection chain by downloading and executing a PowerShell script from an external server. The PowerShell script then decodes and executes a Base64-encoded payload.
The attack then diverges into two possible execution paths. One involves a .NET executable that decrypts an embedded payload, like Agent Tesla or XLoader, and injects it into a running "RegAsm.exe" process. The other path uses an AutoIt compiled executable containing an encrypted payload that loads shellcode, ultimately injecting a .NET file into a "RegSvcs.exe" process, ultimately leading to Agent Tesla deployment. This dual-path approach highlights the attacker's focus on resilience and evasion, using simple, stacked stages to complicate analysis and detection.
ImgSrc: media.infosec.e
Share:
References :
- Virus Bulletin: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader. This multi-layered attack chain leverages multiple execution paths to evade detection and complicate analysis.
- The Hacker News: Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
- Anonymous ???????? :af:: Palo Alto's Saqib Khanzada looks into a multi-layered campaign that delivers malware like Agent Tesla variants, Remcos RAT or XLoader.
Classification:
- HashTags: #MultiStageAttack #Malware #AgentTesla
- Company: Microsoft
- Target: Businesses
- Product: Windows
- Feature: Multi-Stage Attack
- Malware: Agent Tesla
- Type: Malware
- Severity: Major