Security researchers at Palo Alto Networks have identified and analyzed an ongoing wave of malspam campaigns employing Agent Tesla, a notorious information-stealing Trojan, as the final payload in a complex, multi-stage attack chain.
In their recent report, the team details how these attacks leverage a combination of social engineering and scripting techniques to bypass traditional defenses and deliver their malicious payload seamlessly.
Email-Borne Threat Delivers Multi-Stage Payloads
According to the research, threat actors initiate the attack with a socially engineered email that entices recipients to download and open an attached archive file.
This archive contains an obfuscated JavaScript file, designed specifically to evade email filters and endpoint security tools.
When executed, the JavaScript triggers the infection chain by launching a download of a secondary payload, typically delivered in the form of a PowerShell script.
The PowerShell script, in turn, executes a sophisticated drop-and-load routine.
It retrieves and launches one or more executable payloads, ultimately loading the Agent Tesla malware directly into memory.
This in-memory execution technique is coupled with process injection, where the malicious code is embedded into legitimate system processes, helping it avoid detection by security software and complicating forensic analysis.
Security Solutions Respond to Evolving Tactics
Industry defenders have responded to these evolving attack methods with adaptive, behavior-based, and file-based protections.
Symantec, for instance, identifies the related threats with a range of proprietary detection signatures, including ACM.Ps-CPE!g2, ACM.Ps-Wscr!g1, and ACM.Wscr-CNPE!g1, amongst others.
Behavior-based layers such as SONAR.SuspLaunch!g532 and SONAR.SuspOpen!gen11 are designed to detect the malicious behaviors exhibited by scripts and executables during execution, rather than relying solely on static file analysis.
Further bolstering defenses, VMware Carbon Black detects and blocks associated malicious indicators through cloud-based reputation and execution delay policies.
Security experts recommend configuring policies to block all forms of malware, including known threats, suspicious files, and potentially unwanted programs.
Additionally, delaying execution for cloud scanning allows for more thorough analysis and higher detection rates.
From a file-based perspective, threats are further identified under classifications such as ISB.Downloader!gen60, ISB.Dropper!gen1, and Trojan.Gen.2, among others.
These signatures help detect executable components and scripts at various stages of the infection chain.
The dynamic infection process also involves suspicious network activity, such as scripting host processes making outbound connections and the accessing of Lets Encrypt-certified sites by potentially malicious processes.
Security products increasingly audit for these anomalies to flag and block malicious communication attempts.
On the web filtering front, observed malicious domains and IPs are proactively categorized and blocked by solutions like WebPulse, minimizing the risk of end-user exposure.
According to the Report, The use of fileless execution, multi-stage scripting, and legitimate process injection represents a growing trend among cybercriminals seeking to evade detection and maximize payload delivery success.
With Agent Tesla’s flexibility as a final payload capable of stealing credentials, logging keystrokes, and facilitating further compromises malspam campaigns of this sophistication are expected to remain a persistent threat in the modern security landscape.
Security vendors continue to enhance signature-based and behavior-based detection, but ongoing vigilance and multilayered defense strategies remain essential for organizations hoping to stay ahead of adversaries.
As attackers refine their techniques, defenders are urged to maintain up-to-date endpoint protection, ensure comprehensive network and web filtering, and educate users on the risks of unexpected email attachments.
The battle between attackers and defenders continues, with campaigns like this underscoring the need for constant adaptation and awareness.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
