Fileless .NET Based Code Injection Attack Delivers AgentTesla Malware

A recent malware campaign used a VBA macro in a Word document to download and execute a 64-bit Rust binary. This binary employs fileless injection techniques to load a malicious AgentTesla payload into its memory space. 

The malware leverages CLR hosting, a mechanism for native processes to execute.NET code, to achieve this, and the.NET runtime libraries are loaded dynamically, allowing the malware to operate without writing files to disc. 

The malware disables Event Tracing for Windows (ETW) by patching the “EtwEventWrite” API and then downloads a shellcode containing the AgenetTesla payload from a specific URL. The shellcode is then executed using the “EnumSystemLocalesA” API. 

The shellcode uses hashing to dynamically resolve APIs like VirtualAlloc, VirtualFree, and RtlExitUserProcess so that it does not get caught, and then allocates memory and writes the decoded AgentTesla payload to that memory so that it can be run. 

To begin, the malware gets the size and encoded shellcode data from memory. It then uses a custom decryption routine that decrypts 0x10 byte chunks of the payload one at a time using a different dynamically generated 0x10 byte key each time.

Integrate ANY.RUN in Your Company for Effective Malware Analysis

Are you from SOC, Threat Research, or DFIR departments? If so, you can join an online community of 400,000 independent security researchers:

• Real-time Detection
• Interactive Malware Analysis
• Easy to Learn by New Security Team members
• Get detailed reports with maximum data
• Set Up Virtual Machine in Linux & all Windows OS Versions
• Interact with Malware Safely

If you want to test all these features now with completely free access to the sandbox:

Try ANY.RUN for FREE

The process decrypts the entire 0x3E184 byte buffer containing the final payload. Subsequently, the shellcode extracts a list of required DLL names (ole32, oleaut32, wininet, mscoree, shell32) and searches for them in the loaded module list using the PEB structure.

If a required DLL is missing, the malware utilizes LoadLibraryA to load it, and the shellcode leverages API hashing to locate functions like VirtualProtect, SafeArrayCreate, and CLRCreateInstance within the loaded libraries. 

The shellcode disables AMSI scanning by patching the “AmsiScanBuffer” and “AmsiScanString” functions in memory, and then performs CLR hosting to execute malicious.NET code. 

It involves creating a CLR runtime instance, enumerating installed runtimes to find a desired .NET version, and retrieving the default AppDomain. A SafeArray is created to hold the malicious assembly bytecode, which is then loaded into the AppDomain. The loaded assembly’s entry point is invoked with any arguments passed through another SafeArray. 

According to SonicWall, the shellcode utilizes CLR hosting to execute malicious.NET code (the MSIL AgentTesla payload) in memory and achieves this by first calling CLRCreateInstance to get a CLR MetaHost instance. 

It retrieves interfaces like ICorRuntimeHost to set up and start the CLR runtime, creates a SafeArray object containing the decrypted MSIL payload, and loads it into the default application domain. 

The shellcode calls Invoke_3 to execute the entry point of the loaded assembly, effectively launching the AgentTesla process within the native process. After execution, the shellcode wipes the MSIL payload and destroys the SafeArray object. 

Free Malware Research with ANY.RUN – Start now!

IOCs

Document file:

MD5 : D99020C900069E737B3F4AB8C6947375

SHA256 : A6562D8F34D4C25A94313EBBED1137514EED90B233A94A9125E087781C733B37

64-bit downloaded executable:

MD5 : 4521162D45EFC83FA76C4B5C0D405265

SHA256 : F00ED06A1D402ECF760EC92F3280EF6C09E76036854ABACADCAC9311706ED97D

Shellcode blob:

MD5 : CD485BF146E942EC6BB51351FA42B1FF

SHA256 : 02C03E2E8CA28849969AE9A8AAA7FDE8A8B918B5A29548840367F3ECAC543E2D

Injected AgentTesla Payload:

MD5 : 6999D02AA08B56EFE8B2DBBD6FDC9A78

SHA256 : 7B6867606027BFCA492F95E2197A3571D3332D59B65E1850CB20AA6854486B41

URLs used by malware:

https[:]//New-Coder[.]cc/Users/signed_20240329011751156[.]exe  (64-bit exe downloaded)

https[:]//New-Coder[.]cc/Users/shellcodeAny_20240329011339585[.]bin (shellcode downloaded)

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide