A multi-layered attack chain was uncovered in December 2024, employing distinct stages to deliver malware like Agent Tesla variants, Remcos RAT, or XLoader. The campaign uses phishing emails posing as order release requests with malicious attachments. The attack chain leverages multiple execution paths, including .NET and AutoIt compiled executables, to evade detection and complicate analysis. The final payload is typically an Agent Tesla variant, a well-known infostealer. This approach demonstrates how attackers are increasingly relying on complex delivery mechanisms to bypass traditional sandboxes and ensure successful payload execution. Despite the multi-layered approach, Advanced WildFire effectively detects each stage, providing better protection for customers. Author: AlienVault
Related Tags:
Agent Tesla – S0331
T1059.005
Remcos RAT
T1588.002
T1059.006
Agent Tesla
XLoader
T1204.002
shellcode
Associated Indicators:
61466657B14313134049E0C6215266AC1BB1D4AA3C07894F369848B939692C49
7FEFB7A81A4C7D4A51A9618D9EF69E951604FA3D7B70D9A2728C971591C1AF25
00DDA3183F4CF850A07F31C776D306438B7EA408E7FB0FC2F3BDD6866E362AC5
C93E37E35C4C7F767A5BDAB8341D8C2351EDB769A41B0C9C229C592DBFE14FF2
550F191396C9C2CBF09784F60FAAB836D4D1796C39D053D0A379AFACA05F8EE8
8CDB70F9F1F38B8853DFAD62D84618BB4F10ACCE41E9F0FDDAB422C2C253C994
FBFDC1ECA8E45A0D98E96AD033E67E88C2C76180
DCDEE5E4E5F8CAEF5740D52FD4444A209C341B8F
97A0F467D3CF0AED02A48927EC5BB3A2A64D1DB0