Beware of New Fileless Malware that Propagates Through Spam Mail

Recent reports suggest threat actors have used phishing emails to distribute fileless malware. The attachment consists of a .hta (HTML Application) file, which can be used for deploying other malware like AgentTesla, Remcos, and LimeRAT.

This fileless malware is a Portable Executable (PE) format, which gets executed without creating the file on the victim’s system. The phishing email has the body context stating a bank transfer notice. In addition to the email, the email has an attachment with an ISO image embedded with a .hta script file. This file runs using the mshta.exe (Microsoft HTML Application).

Fileless Malware Via Spam Mail

As per reports shared with Cyber Security News, when the victims execute this ISO file, the embedded .hta file gets executed, which creates a process tree that consists of mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in order. 

ISO file embedded with .hta file (Source: AhnLab)

The mshta.exe process executes a Powershell command. The command consists of arguments to request a base64 encoded string type data from the server (DownloadString), which loads the CurrentDomain.Load data to call a function. However, there is no binary created into a PE file, but instead, the binary gets executed in the memory area of Powershell.

Payload download and memory download Source: AhnLab

Furthermore, the Powershell script also executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Tool). This final binary could be any malware like Remcos, AgentTesla, or LimeRAT.

Base64 encoded DLL

A complete report has been published by AhnLab, which provides detailed information about the malware, PE file, DLL file, and others.

Indicator of Compromise

Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt
MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)

Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.