Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis
1 min read
Summary
A new attack chain leveraging multiple execution paths to avoid detection has been discovered by security researchers at Unit 42, the threat intelligence team at Palo Alto Networks.
The attack chain starts with a phishing email and an attached archive, which contains a malicious script; this then downloads and runs a PowerShell script.
This, in turn, downloads and runs an executable, which is either compiled in .NET or AutoIt, the latter being the more interesting of the two.
In the AutoIt infection chain, the executable decrypts shellcode, which then injects a .NET file into a RegSvcs process to download and execute an Agent Tesla variant.
Agent Tesla is a keylogger that can scrape credit card details, browser history and passwords from victim machines.
