Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as “Cascading Shadows” to deliver various malware, including Agent Tesla, XLoader, and Remcos RAT.

The attackers’ strategy hinges on using multiple, seemingly simple but strategically layered stages, which not only evade traditional sandbox environments but also complicates analysis by cybersecurity experts.

The Deceptive Prelude

The campaign begins with phishing emails disguised as official communications, typically claiming a new payment has been made.

These emails contain a compressed file named “doc00290320092.7z”, directing the victim to review an ‘order file’.

Once opened, the .7z file reveals a JavaScript encoded (.jse) file. This initial file acts as a downloader, fetching a PowerShell script from a remote server, initiating the infection chain.

Unraveling the Layers

The PowerShell script, devoid of heavy obfuscation, hosts a Base64-encoded payload which is decoded, saved to disk, and executed.

Interestingly, subsequent analysis has revealed that the payload varies, choosing between either a .NET or an AutoIt compiled executable.

According to the Report, this bifurcation in the attack chain allows the malware to adapt, choosing between paths to increase infection success.

The .NET executable decrypts the payload, either with AES or Triple DES, before injecting it into a running RegAsm.exe process.

Similarities found in multiple .NET samples from this campaign indicate a deliberate design to inject different malware families, like Agent Tesla or XLoader, into running processes, leveraging the same underlying infection method.

On the other alternative path, AutoIt executables introduce an additional layer of complexity.

They contain encrypted payloads that load shellcode, which, once decrypted, injects the final malware into a RegSvcs process.

This AutoIt script’s role also includes running malicious code through DLLCALLADDRESS references, posing challenges for analysis.

Despite the attackers’ intricate strategies, security solutions like Advanced WildFire can detect each stage of the Cascading Shadows attack chain.

Palo Alto Networks’ Advanced URL Filtering, Advanced DNS Security, and Cortex XDR with XSIAM provide layered defenses against these threats.

For organizations potentially compromised, immediate contact with Unit 42 Incident Response is recommended.

This attack chain highlights a continuing trend in cyber threats, where attackers rely on complexity and variety rather than sophisticated obfuscation to evade detection.

The analyzed techniques offer crucial insights for enhancing threat hunting capabilities, particularly in dealing with AutoIt-based malware and debugging shellcode.

This analysis underscores the perpetual cat-and-mouse game between cyber defenders and attackers, showcasing the need for constant vigilance and advanced detection capabilities.

Indicators of Compromise

AutoIt Infection Chain 1

SHA-256 Hash	Description
00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5	doc00290320092.7z
f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd	doc00290320092.jse
d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2	files.catbox[.]moe/rv94w8[.]ps1
550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8	AutoIt compiled EXE (Agent Tesla variant)

AutoIt Infection Chain 2

SHA-256 Hash	Description
61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49	doc00290320092.7z
7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25	doc00290320092.jse
8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994	files.catbox[.]moe/gj7umd[.]ps1
c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2	AutoIt compiled EXE (Agent Tesla variant)

Agent Tesla (Variant) Configuration

Field	Value
FTP Server	ftp[:]//ftp.jeepcommerce[.]rs
FTP Username	kel-bin@jeepcommerce[.]rs
FTP Password	Jhrn)GcpiYQ7

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!