Full Report
A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. "Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution," Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The
Analysis Summary
This summary focuses on the multi-stage phishing campaign detailed in the first part of the article, as the second part describes a separate campaign involving different malware and actors.
# Tool/Technique: Multi-Stage Delivery Chain (JSE, PowerShell, .NET/AutoIt Droppers)
## Overview
A complex, multi-stage attack chain observed in a phishing campaign designed to evade detection and deliver secondary stage stealers/RATs, specifically Agent Tesla variants, Remcos RAT, and XLoader. The chain relies on successively simpler stages rather than high-level obfuscation, increasing resilience.
## Technical Details
- Type: Attack Chain / Delivery Mechanism (Involves multiple components)
- Platform: Windows
- Capabilities: Multi-layered execution, process injection into legitimate Windows processes, utilization of script interpreters (JSE, PowerShell).
- First Seen: Observed in December 2024.
## MITRE ATT&CK Mapping
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment
- T1059 - Command and Scripting Interpreter
- T1059.003 - Windows Command Shell (via PowerShell)
- T1027 - Obfuscated Files or Information
- T1027.002 - Software Packing (Implicit in secondary stages)
- T1055 - Process Injection
- T1055.012 - Process Injection: Portable Executable Injection (Implied by decoding and injection)
## Functionality
### Core Capabilities
- Initial delivery via deceptive email containing a malicious 7-zip archive.
- Attachment contains a JavaScript encoded (.JSE) file.
- JSE file acts as a downloader, executing a PowerShell script.
- PowerShell script downloads, decodes (Base64), and executes a next-stage dropper from an external server.
### Advanced Features
- **Multi-Path Execution:** The dropper is compiled using either .NET or AutoIt, providing multiple execution pathways.
- **Process Injection (.NET Path):** The embedded Agent Tesla/XLoader payload is decoded and injected into a running `RegAsm.exe` process.
- **Process Injection (AutoIt Path):** The AutoIt script loads shellcode which then causes a .NET file to be injected into a `RegSvcs.exe` process, leading to Agent Tesla deployment.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: Malicious 7-zip archive attachment, JavaScript encoded (.JSE) file.
- Registry Keys: [Not provided in the text]
- Network Indicators: External server hosting the PowerShell script and the final payload. (Defanged: External Server delivering stage 2 components)
- Behavioral Indicators: Execution of JSE, PowerShell script launching from unexpected sources, process injection into `RegAsm.exe` or `RegSvcs.exe`.
## Associated Threat Actors
- Actors using Agent Tesla variants, Remcos RAT, and XLoader in this specific multi-stage pattern. (No specific named APT group was linked to this delivery chain in the context provided, separate from the IronHusky mention later).
## Detection Methods
- Signature-based detection: Signatures for the known malware families (Agent Tesla, Remcos, XLoader).
- Behavioral detection: Monitoring the sequence of JSE execution $\rightarrow$ PowerShell activity $\rightarrow$ writing files to %TEMP% $\rightarrow$ process injection targeting administrative binaries like `RegAsm.exe` or `RegSvcs.exe`.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Email filtering and user training regarding deceptive order request attachments.
- Application Control/Whitelisting to restrict execution from %TEMP% directory.
- Monitoring for unusual process relationships, specifically those involving process injection into `RegAsm.exe` or `RegSvcs.exe`.
## Related Tools/Techniques
- Agent Tesla (Information Stealer)
- Remcos RAT
- XLoader
- Snake Keylogger (Suspected payload)
***
# Tool/Technique: MysterySnail RAT (New Version)
## Overview
A new version of the MysterySnail Remote Access Trojan (RAT) being deployed by the Chinese-speaking threat actor IronHusky, primarily targeting government organizations in Mongolia and Russia. This version exhibits strong file management and command execution capabilities.
## Technical Details
- Type: Malware (RAT)
- Platform: Windows (Implied by DLL sideloading via MMC script artifacts)
- Capabilities: Command execution (`cmd.exe`), file management, service management, capability to connect to network resources via dedicated DLL modules.
- First Seen: Activity documented around the time of the article's context regarding IronHusky, following previous documentation in 2021.
## MITRE ATT&CK Mapping
- T1219 - Remote Access Software (RAT functionality)
- T1053 - Scheduled Task/Job
- T1053.005 - Service Execution
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Communication via piping-server)
- T1588 - Obtain Capabilities
- T1588.002 - Tool (Utilizing open-source 'piping-server')
## Functionality
### Core Capabilities
- Accepting nearly 40 commands for system manipulation.
- Executing commands via `cmd.exe`.
- File operations (download, upload, deletion).
- Process and service management (spawning/killing processes, managing services).
### Advanced Features
- **DLL Sideloading via Legitimate Binary:** Utilizes a legitimate binary (`CiscoCollabHost.exe`) to load a malicious DLL (`CiscoSparkLauncher.dll`).
- **C2 Communication via Open Source Project:** The intermediary backdoor utilizes the open-source `piping-server` project for C2 communication.
- **Lightweight Variant (MysteryMonoSnail):** A reduced version (13 basic commands) was observed deployed after initial access was blocked.
## Indicators of Compromise
- File Hashes: [Not provided in the text]
- File Names: `CiscoCollabHost.exe` (legitimate binary used for sideloading), `CiscoSparkLauncher.dll` (malicious DLL).
- Registry Keys: [Not provided in the text]
- Network Indicators: Communication endpoint utilizing the `piping-server` infrastructure. (Defanged: piping-server based infrastructure)
- Behavioral Indicators: Execution chain originating from a malicious MMC script, loading a DLL via `CiscoCollabHost.exe` sideloading functionality.
## Associated Threat Actors
- IronHusky (Chinese-speaking threat actor)
## Detection Methods
- Signature-based detection: Signatures for MysterySnail RAT (new and MysteryMonoSnail variants).
- Behavioral detection: Monitoring DLL sideloading attempts involving `CiscoCollabHost.exe` and detection of custom C2 traffic utilizing the `piping-server` protocol.
- YARA rules: [Not available in the text]
## Mitigation Strategies
- Strict monitoring of DLL loading behaviors, especially binaries known to be abused for sideloading.
- Blocking C2 communication associated with the infrastructure used by IronHusky.
- Patching systems against privilege escalation flaws mentioned in IronHusky's past activity (e.g., CVE-2021-40449 context, though not the current infection vector).
## Related Tools/Techniques
- MysteryMonoSnail RAT (Lightweight variant)
- piping-server (Legitimately used for C2 infrastructure)