The malware is cleverly hidden in the system, simultaneously disabling any protective mechanisms.
As part of the recent AgentTesla malware distribution campaign, which was reviewed in detail by SonicWall specialists, attackers used VBA macros in Word documents to conduct a file-less injection attack, in which the malicious load is loaded directly into the computer's RAM.
The malicious program is managed using the CLR hosting mechanism, which allows native Windows processes to execute .NET code. Dynamically loaded libraries are used for this purpose .NET, which allows the malware to function without leaving any files on the disk.
A feature of the malware is disabling the Event Tracing for Windows (ETW) system by modifying the "EtwEventWrite" API. Then the shellcode containing the AgentTesla load is downloaded and executed using the "EnumSystemLocalesA" API.
The shellcode uses hashing to dynamically define APIs such as VirtualAlloc and VirtualFree, thus avoiding detection. After that, it allocates memory and writes the decoded AgentTesla load to execute it.
If any of the required DLLs are missing, the malware loads them via the LoadLibraryA function. The shellcode also disables AMSI scanning by modifying the "AmsiScanBuffer" and "AmsiScanString" functions.
To execute malicious code .NET code malware uses CLR hosting, creating an instance of the CLR runtime, and then searches for the appropriate version .NET, uploads malicious code to the AppDomain and runs it. After a malicious process enters RAM, the shellcode destroys the downloaded data, preventing detection.
Thus, hackers are finding increasingly sophisticated ways to infect systems with malware, bypassing traditional detection methods. Such sophisticated hacking techniques require continuous improvement of security mechanisms at all levels to ensure acceptable cybersecurity.
As part of the recent AgentTesla malware distribution campaign, which was reviewed in detail by SonicWall specialists, attackers used VBA macros in Word documents to conduct a file-less injection attack, in which the malicious load is loaded directly into the computer's RAM.
The malicious program is managed using the CLR hosting mechanism, which allows native Windows processes to execute .NET code. Dynamically loaded libraries are used for this purpose .NET, which allows the malware to function without leaving any files on the disk.
A feature of the malware is disabling the Event Tracing for Windows (ETW) system by modifying the "EtwEventWrite" API. Then the shellcode containing the AgentTesla load is downloaded and executed using the "EnumSystemLocalesA" API.
The shellcode uses hashing to dynamically define APIs such as VirtualAlloc and VirtualFree, thus avoiding detection. After that, it allocates memory and writes the decoded AgentTesla load to execute it.
If any of the required DLLs are missing, the malware loads them via the LoadLibraryA function. The shellcode also disables AMSI scanning by modifying the "AmsiScanBuffer" and "AmsiScanString" functions.
To execute malicious code .NET code malware uses CLR hosting, creating an instance of the CLR runtime, and then searches for the appropriate version .NET, uploads malicious code to the AppDomain and runs it. After a malicious process enters RAM, the shellcode destroys the downloaded data, preventing detection.
Thus, hackers are finding increasingly sophisticated ways to infect systems with malware, bypassing traditional detection methods. Such sophisticated hacking techniques require continuous improvement of security mechanisms at all levels to ensure acceptable cybersecurity.
