Agent Tesla, XLoader Delivered in Sneaky Multi-Stage Malware Campaign
A sophisticated new attack is using a clever series of steps to infect systems with dangerous malware, including variants of Agent Tesla, the Remcos RAT, and the XLoader infostealer.
A new, sneaky attack is making the rounds, dropping malware like Agent Tesla, Remcos RAT, and XLoader onto unsuspecting computers. It's a multi-stage affair designed to be difficult to detect.
According to Saqib Khanzada, a researcher at Palo Alto Networks Unit 42, "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution." You can read his full analysis here.
So, how does it work? It starts with a phishing email, disguised as a legitimate order request. This email contains a malicious 7-zip archive, which, in turn, hides a sneaky JavaScript file (.JSE).
These emails were spotted as recently as December 2024. They often claim a payment has been made and urge you to open the attached order file. Big mistake! Opening that JavaScript file kicks off the whole infection process. It acts as a downloader, grabbing a PowerShell script from a remote server.
That script is hiding a Base64-encoded payload. This payload gets decoded, written to your Windows temporary directory, and then executed. And here's where things get really interesting: this launches another dropper, which can be compiled using either .NET or AutoIt.
If it's a .NET executable, the encrypted payload (suspected to be a variant of Snake Keylogger or XLoader) is decoded and injected into a running "RegAsm.exe" process. This trick has been seen in previous Agent Tesla campaigns.
But wait, there's more! If the AutoIt compiled executable is used, it adds yet another layer to the mix. This executable contains an encrypted payload that loads the final shellcode, causing a .NET file to be injected into "RegSvcs.exe", which *finally* leads to the Agent Tesla deployment. Phew!
"This suggests that the attacker employs multiple execution paths to increase resilience and evade detection," Khanzada explained. "The attacker's focus remains on a multi-layered attack chain rather than sophisticated obfuscation." In other words, they're not using super-advanced techniques, just lots of layers.
"By stacking simple stages instead of focusing on highly sophisticated techniques, attackers can create resilient attack chains that complicate analysis and detection."
IronHusky Deploys Updated MysterySnail RAT
Separately, Kaspersky has uncovered a campaign targeting government organizations in Mongolia and Russia with a new version of a malware called MysterySnail RAT. The culprit? A Chinese-speaking group known as IronHusky.
IronHusky has been around since at least 2017. They were previously linked to the exploitation of a Windows zero-day vulnerability (CVE-2021-40449) to deliver MysterySnail.
The infections start with a malicious Microsoft Management Console (MMC) script disguised as a Word document from the National Land Agency of Mongolia. This script grabs a ZIP archive containing a lure document, a legitimate binary ("CiscoCollabHost.exe"), and a malicious DLL ("CiscoSparkLauncher.dll").
It's still unclear exactly how this MMC script is being distributed, but the fake document suggests a phishing campaign.
As we've seen before, "CiscoCollabHost.exe" is used to sideload the malicious DLL, which acts as an intermediary backdoor. This backdoor communicates with the attackers using the open-source piping-server project.
This backdoor can run command shells, download/upload files, list directory contents, delete files, create new processes, and even terminate itself. It's then used to load the MysterySnail RAT.
The latest version of MysterySnail can accept almost 40 commands, allowing it to manage files, execute commands, spawn and kill processes, manage services, and connect to network resources.
According to Kaspersky, the attackers even dropped a "repurposed and more lightweight version" of MysterySnail, called MysteryMonoSnail, after the affected companies took steps to block the initial intrusions.
"This version doesn't have as many capabilities as the version of MysterySnail RAT," the company noted. "It was programmed to have only 13 basic commands, used to list directory contents, write data to files, and launch processes and remote shells."
