Hackers Employ Advanced Fileless Attack to Implant AgentTesla Malware

SonicWall Capture Labs threat research team has recently uncovered sophisticated .NET managed code injection methods employed by the notorious AgentTesla malware, marking a significant advancement in malware delivery tactics. The detailed technical analysis provided by SonicWall showcases the intricate steps involved in executing fileless attacks using native processes.

The initial breach occurs through an innocuous-looking Word document delivered via email. This document deceives users into enabling a VBA macro, which acts as the gateway for the malware’s entry. Once activated, this macro stealthily downloads and executes a Rust-compiled 64-bit executable from the internet, setting the stage for a deeper intrusion.

The executable, once launched, utilizes sophisticated CLR hosting techniques to inject the AgentTesla payload directly into its process memory—a method both stealthy and efficient. This process involves several critical steps:

• Disabling Event Tracing for Windows (ETW): The malware cleverly patches the “EtwEventWrite” API to avoid detection by security systems.
• Shellcode Execution: It then fetches encoded shellcode from a remote server, which contains the AgentTesla payload. This shellcode dynamically resolves critical API functions necessary for further execution, such as VirtualAlloc and VirtualFree, through a hashing technique.
• Payload Decryption: Following memory allocation, the shellcode decrypts the AgentTesla payload using a custom XOR decryption loop, adapting the encryption key with each iteration to enhance security evasion.

The crux of the attack involves CLR hosting, a sophisticated technique where the malware leverages Microsoft’s .NET framework to execute managed code within a native process seamlessly. This is accomplished through several complex steps:

• Instantiating CLR MetaHost: The malware first creates an instance of CLR MetaHost to manage the execution environment.
• Runtime Environment Setup: It then identifies and sets up the appropriate .NET runtime version using the ICLRRuntimeInfo interface.
• Managed Code Execution: The final steps involve creating a SafeArray to hold the managed code, loading the malware assembly into the AppDomain, and executing the entry point of the loaded assembly.

This attack demonstrates how hackers are constantly innovating and combining techniques to stay ahead of defenders. Organizations must not only keep their tools up-to-date but also invest in continuous security awareness training and a proactive approach to threat detection. Understanding the details of these complex attacks, as uncovered by the SonicWall Capture Labs report, is crucial in strengthening defenses against these evolving threats.