Cybersecurity researchers uncovered a sophisticated attack chain employed by threat actors to distribute infostealers such as Agent Tesla, Remcos RAT, and XLoader.
This campaign leverages a multi-stage delivery mechanism intentionally utilizing simplicity at each step over obfuscation to evade both detection and post-infection analysis.
The attackers harness multiple execution paths and dynamically switch payload deployment methods, significantly increasing the resilience and stealth of their campaigns against traditional security controls.
Analysis of the Attack Vector: From Deceptive Email to Process Injection
The attack originates with a phishing email masquerading as an authentic order release request, using tailored social engineering lures to entice victims to open a malicious archive file.
The attachment, commonly named in the “docxxxx.7z” pattern, contains a .jse (JavaScript Encoded) file disguised as a legitimate document.
Upon execution, the .jse file operates as an initial downloader, fetching and launching a PowerShell script from a remote server.
The PowerShell payload encoded in Base64 serves to deposit its next-stage dropper into a temporary directory, before decoding and executing it.
This stage is a pivot point; analysis reveals that attackers alternate between two dropper architectures: a .NET compiled executable or an AutoIt compiled executable, further complicating static and dynamic detection techniques.
.NET and AutoIt Execution Divergence
In instances where the .NET dropper is employed, the payload encrypted using AES or Triple DES is decrypted on execution and subsequently injected into a legitimate system process, typically RegAsm.exe.
According to Unit42 Report, this injection not only evades common endpoint protection mechanisms but also facilitates the deployment of various malware families, such as Agent Tesla and XLoader.
Alternatively, the use of an AutoIt compiled executable introduces another layer of complexity.
The AutoIt script harbored within is responsible for decrypting and loading shellcode into memory.
This shellcode subsequently injects a .NET assembly into the RegSvcs.exe process, ultimately unpacking and executing a .NET Reactor-protected Agent Tesla variant.
Technical dissection using analysis tools like dnSpy and IDA Pro reveals that both .NET and AutoIt paths employ process injection, memory-only persistence, and dynamic API resolution hallmarks of modern, evasive malware.
Despite the layered architecture, advanced threat analysis engines such as Palo Alto Networks’ WildFire demonstrate strong efficacy in detecting each stage of the attack chain.
Machine learning and behavioral analysis, as provided by Cortex XDR and related products, are critical in identifying and blocking both known and unknown malware variants, credential theft attempts, and post-exploitation activities.
The campaign exemplifies the shift toward modular, multi-path attack delivery, challenging automated and manual analysis workflows.
Security teams are advised to monitor for these techniques, ensure layered defense strategies, and update detection logic to include indicators stemming from both .NET and AutoIt malware variants.
This campaign signals a persistent evolution in adversarial tactics, underscoring the need for robust, adaptive defense-in-depth strategies and continuous intelligence sharing across the cybersecurity community.
Indicators of Compromise (IoCs)
| Indicator Type | Sample Value | Description |
|---|---|---|
| SHA256 (Archive) | 00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5 | Malicious .7z archive (Infection Chain 1) |
| SHA256 (JSE File) | f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd | Malicious .jse downloader (Chain 1) |
| SHA256 (PowerShell) | d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2 | PowerShell script (Chain 1) |
| SHA256 (AutoIt) | 550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8 | AutoIt dropper (Agent Tesla, Chain 1) |
| SHA256 (Archive) | 61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49 | Malicious .7z archive (Infection Chain 2) |
| SHA256 (JSE File) | 7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25 | Malicious .jse downloader (Chain 2) |
| SHA256 (PowerShell) | 8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994 | PowerShell script (Chain 2) |
| SHA256 (AutoIt) | c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2 | AutoIt dropper (Agent Tesla, Chain 2) |
| C2 Domain/URL | ftp[:]//ftp.jeepcommerce[.]rs | Agent Tesla C2 FTP Server |
| FTP Credentials | kel-bin@jeepcommerce[.]rs / Jhrn)GcpiYQ7 | Agent Tesla exfiltration credentials |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
