Keypoints
- Campaigns deliver compressed attachments (.ZIP/.Z) containing executable (.EXE) or .SRC loaders with varying hashes.
- Initial loaders alternate between 32-bit and 64-bit variants and decrypt embedded resources using AES or Triple DES.
- Decryption keys are embedded in the binaries and were recovered using a CyberChef recipe to extract the first DLL.
- The final payload loader is Costura, used to load the .NET payload directly into memory (fileless execution).
- Operations largely execute in RAM only, leaving only the initial attachment on disk and evading persistent-storage scans.
- Attackers repeatedly reuse a previously identified command-and-control (C2) infrastructure, suggesting persistent C2 endpoints.
- CERT-AGID published a downloadable IoC JSON with detailed indicators for detection and response.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – Delivery via compressed email attachments containing executable or source files (‘…attachment: a compressed file in .ZIP (or .Z) format that includes an executable .EXE file or a .SRC file…’)
- [T1204.002] User Execution: Malicious File – Successful execution relies on the user opening the delivered archive and running the contained file (‘…the only element of the campaign that is actually saved to the hard disk is the initial attachment…’)
- [T1027] Obfuscated Files or Information – Payload components are encrypted/obfuscated using AES and Triple DES, with embedded keys (‘…resources were decrypted using the AES algorithm… in the latest wave, Triple DES was used…’)
- [T1055] Process Injection (In-memory execution) – The final loader uses Costura to load the payload into memory, avoiding disk persistence (‘…The final loader adopted by AgentTesla is Costura… used to load the payload into memory during execution…’)
- [T1071] Command and Control – Use of a persistent, previously identified C2 server to manage infected hosts (‘…the command and control (C2) server involved has already been identified several times by CERT-AGID since July 2023…’)
- [T1105] Ingress Tool Transfer – Initial stage decrypts and extracts a DLL component (resource transfer/installation) using an internal recipe to obtain the next-stage module (‘…a CyberChef recipe was used to decrypt the initial phase and obtain the first DLL…’)
Indicators of Compromise
- [Domain C2] Reused C2 infrastructure – gator3220.hostgator.com (identified in campaign imagery and analysis)
- [IoC Feed] Published IoC JSON – https://cert-agid.gov.it/wp-content/uploads/2024/04/agenttesla_08-04-2024.json (downloadable list of indicators)
- [File types] Malicious attachments – .ZIP/.Z archives containing .EXE and .SRC files (initial delivery vector)
- [File hashes] Multiple loader/payload hashes – different hashes observed across iterations (specific hashes available in the IoC JSON)
Attack flow (technical procedure): Actors distribute ZIP/.Z email attachments containing an executable (.EXE) or .SRC loader. When executed by the user, the initial loader (alternating between 32‑bit and 64‑bit builds) decrypts embedded resources using symmetric algorithms (observed: AES in earlier waves, Triple DES in later ones). The decryption keys are hardcoded in the binary, and analysts used a CyberChef recipe to decrypt the initial stage and extract the first DLL.
Post-decryption, the campaign hands off to a .NET-based final loader: Costura is used to embed and load the payload directly into process memory, enabling in-memory execution and minimizing disk artifacts. This fileless approach means persistent detection must rely on memory scanning and monitoring of anomalous in-memory modules rather than traditional disk-based signatures.
Command-and-control uses a previously identified infrastructure (reused C2 server), allowing operators to manage victims despite changing loaders and hashes; CERT-AGID published a JSON feed with the observed IOCs for detection and blocking. Defenders should focus on blocking the C2 domain/IPs from the IoC feed, enabling memory scanning, and detecting decryption activity or unusual Costura-based in-memory assemblies.