A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as “Cascading Shadows” to deliver various malware, including Agent Tesla, XLoader, and Remcos RAT.
The attackers’ strategy hinges on using multiple, seemingly simple but strategically layered stages, which not only evade traditional sandbox environments but also complicates analysis by cybersecurity experts.
The Deceptive Prelude
The campaign begins with phishing emails disguised as official communications, typically claiming a new payment has been made.
.png
)
These emails contain a compressed file named “doc00290320092.7z”, directing the victim to review an ‘order file’.
Once opened, the .7z file reveals a JavaScript encoded (.jse) file. This initial file acts as a downloader, fetching a PowerShell script from a remote server, initiating the infection chain.
Unraveling the Layers
The PowerShell script, devoid of heavy obfuscation, hosts a Base64-encoded payload which is decoded, saved to disk, and executed.
Interestingly, subsequent analysis has revealed that the payload varies, choosing between either a .NET or an AutoIt compiled executable.
According to the Report, this bifurcation in the attack chain allows the malware to adapt, choosing between paths to increase infection success.
The .NET executable decrypts the payload, either with AES or Triple DES, before injecting it into a running RegAsm.exe process.
Similarities found in multiple .NET samples from this campaign indicate a deliberate design to inject different malware families, like Agent Tesla or XLoader, into running processes, leveraging the same underlying infection method.
On the other alternative path, AutoIt executables introduce an additional layer of complexity.
They contain encrypted payloads that load shellcode, which, once decrypted, injects the final malware into a RegSvcs process.
This AutoIt script’s role also includes running malicious code through DLLCALLADDRESS references, posing challenges for analysis.
Despite the attackers’ intricate strategies, security solutions like Advanced WildFire can detect each stage of the Cascading Shadows attack chain.
Palo Alto Networks’ Advanced URL Filtering, Advanced DNS Security, and Cortex XDR with XSIAM provide layered defenses against these threats.
For organizations potentially compromised, immediate contact with Unit 42 Incident Response is recommended.
This attack chain highlights a continuing trend in cyber threats, where attackers rely on complexity and variety rather than sophisticated obfuscation to evade detection.
The analyzed techniques offer crucial insights for enhancing threat hunting capabilities, particularly in dealing with AutoIt-based malware and debugging shellcode.
This analysis underscores the perpetual cat-and-mouse game between cyber defenders and attackers, showcasing the need for constant vigilance and advanced detection capabilities.
Indicators of Compromise
AutoIt Infection Chain 1
| SHA-256 Hash | Description |
|---|---|
00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5 | doc00290320092.7z |
f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd | doc00290320092.jse |
d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2 | files.catbox[.]moe/rv94w8[.]ps1 |
550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8 | AutoIt compiled EXE (Agent Tesla variant) |
AutoIt Infection Chain 2
| SHA-256 Hash | Description |
|---|---|
61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49 | doc00290320092.7z |
7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25 | doc00290320092.jse |
8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994 | files.catbox[.]moe/gj7umd[.]ps1 |
c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2 | AutoIt compiled EXE (Agent Tesla variant) |
Agent Tesla (Variant) Configuration
| Field | Value |
|---|---|
| FTP Server | ftp[:]//ftp.jeepcommerce[.]rs |
| FTP Username | kel-bin@jeepcommerce[.]rs |
| FTP Password | Jhrn)GcpiYQ7 |
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
