Cybercriminals Exploit Fake Leonardo DiCaprio Movie to Spread Agent Tesla Malware
In a sophisticated cyberattack, malicious actors are leveraging the anticipated release of Leonardo DiCaprio’s latest film, One Battle After Another, to distribute the notorious Agent Tesla malware. This campaign targets individuals seeking to download the movie through torrent files, embedding a complex malware payload within the download package.
The Deceptive Download Package
Upon downloading what appears to be the movie, users receive a folder containing several files that seem legitimate. Among these is a shortcut file named CD.lnk. When executed, this file initiates a concealed command sequence that reads specific lines from a subtitle file titled Part2.subtitles.srt. Within lines 100 to 103 of this subtitle file, hidden batch code launches a series of PowerShell scripts, setting the stage for the malware’s deployment.
Multi-Stage Infection Process
The attack unfolds through multiple stages:
1. PowerShell Script Execution: The initial PowerShell commands extract and decode encrypted data embedded within the subtitle file. Utilizing AES encryption techniques, the malware generates five distinct PowerShell scripts, which are stored in a concealed directory at `C:\Users\[UserName]\AppData\Local\Microsoft\Diagnostics`.
2. Extraction of Disguised Archive: One of these scripts processes a file named One Battle After Another.m2ts, which masquerades as a video file but is, in reality, a disguised archive. The script checks for the presence of common extraction tools like WinRAR, 7-Zip, or Bandizip and employs the available tool to extract its contents.
3. Establishing Persistence: Another script creates a scheduled task named RealtekDiagnostics, designed to appear as a legitimate audio helper program. This task ensures the malware executes automatically upon system startup or user login, maintaining its presence on the infected device.
4. Decoding Additional Payloads: Subsequent scripts decode hidden data from files named Photo.jpg and Cover.jpg. These files, while appearing as standard images, contain binary data and additional archives protected by simple passwords, further contributing to the malware’s complexity.
5. Deployment of Agent Tesla: In the final stage, the malware compiles and executes the Agent Tesla payload directly in the system’s memory. This Remote Access Trojan (RAT) establishes a connection with attacker-controlled servers, granting cybercriminals complete control over the infected device. This access enables them to steal personal and financial information, deploy additional malware, or use the device as a launchpad for further attacks.
Evasion Techniques
The malware employs several sophisticated techniques to evade detection:
– Fileless Execution: By running entirely in memory, the malware avoids writing suspicious files to the hard drive, making it challenging for traditional security tools to detect its presence.
– Use of Legitimate Tools: The attack leverages legitimate Windows utilities such as CMD, PowerShell, and Task Scheduler to execute its payload, further concealing its malicious activities.
– Multi-Layered Encryption: The use of multiple layers of encryption and scripts hidden within seemingly benign files complicates detection and analysis, allowing the malware to operate undetected for extended periods.
Implications and Recommendations
This campaign underscores the evolving tactics of cybercriminals who exploit popular media releases to distribute malware. The use of multi-stage scripting and fileless execution highlights the need for advanced security measures beyond traditional antivirus solutions.
To protect against such threats, users are advised to:
– Exercise Caution with Downloads: Avoid downloading movies or software from unverified sources, especially torrents, as they are common vectors for malware distribution.
– Keep Software Updated: Regularly update operating systems and security software to patch vulnerabilities that could be exploited by malware.
– Employ Advanced Security Solutions: Utilize security tools that offer behavioral analysis and real-time monitoring to detect and prevent sophisticated attacks.
– Educate on Cyber Threats: Stay informed about the latest cyber threats and attack vectors to recognize and avoid potential risks.
By adopting these practices, users can significantly reduce the risk of falling victim to such deceptive and harmful cyberattacks.
