Recent reports suggest threat actors have used phishing emails to distribute fileless malware. The attachment consists of a .hta (HTML Application) file, which can be used for deploying other malware like AgentTesla, Remcos, and LimeRAT.
This fileless malware is a Portable Executable (PE) format, which gets executed without creating the file on the victim’s system. The phishing email has the body context stating a bank transfer notice. In addition to the email, the email has an attachment with an ISO image embedded with a .hta script file. This file runs using the mshta.exe (Microsoft HTML Application).
Fileless Malware Via Spam Mail
As per reports shared with Cyber Security News, when the victims execute this ISO file, the embedded .hta file gets executed, which creates a process tree that consists of mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in order.
The mshta.exe process executes a Powershell command. The command consists of arguments to request a base64 encoded string type data from the server (DownloadString), which loads the CurrentDomain.Load data to call a function. However, there is no binary created into a PE file, but instead, the binary gets executed in the memory area of Powershell.
Furthermore, the Powershell script also executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Tool). This final binary could be any malware like Remcos, AgentTesla, or LimeRAT.
A complete report has been published by AhnLab, which provides detailed information about the malware, PE file, DLL file, and others.
Indicator of Compromise
URL & C2