A sophisticated phishing campaign leveraging a multi-layered attack chain dubbed “Cascading Shadows” has been uncovered by the Palo Alto Networks’ Unit 42 researchers in December 2024. This campaign delivers malware families like Agent Tesla, RemcosRAT, and XLoader through a sequence of deliberately fragmented stages designed to bypass traditional security tools and complicate forensic analysis. By compartmentalizing each stage and leveraging legitimate tools, the Cascading Shadows chain exemplifies the growing trend of “living-off-the-land” tactics in cyber espionage. Once activated, the infection chain progresses through JavaScript-encoded (.jse) files, PowerShell scripts, and culminates in either .NET or AutoIt-compiled executables that inject final payloads into legitimate system processes. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. The attached .7z archive contains a .jse file masquerading as a document (e.g., doc00290320092.jse). When executed, this script downloads a PowerShell payload from domains like files.catbox[.]moe, which subsequently retrieves either a .NET or AutoIt dropper. This technique, combined with minimal obfuscation at early stages, allows the attack chain to evade sandbox analysis while maintaining operational flexibility. The script within the AutoIt binary (e.g., c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2) contains an encrypted payload that dynamically resolves API calls to evade static analysis. Unit 42 emphasizes that while the attack chain is intricate, defenses like Cortex XDR’s Behavioral Threat Protection can detect process injection anomalies. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. By injecting decrypted shellcode into trusted processes like RegAsm.exe or RegSvcs.exe, the malware operates under the guise of legitimate Microsoft utilities. This enables the shellcode to allocate memory in the target process, write the decrypted .NET payload, and initiate execution—all without leaving artifacts on the filesystem. The final payload, an Agent Tesla variant, exfiltrates credentials via FTP to servers like ftp.jeepcommerce[.]rs using hardcoded credentials (e.g., username: kel-bin@jeepcommerce[.]rs, password: Jhrn) GcpiYQ7). Palo Alto Networks analysts noted that the campaign’s reliance on process hollowing distinguishes it from conventional malware delivery methods. Despite its complexity, Advanced WildFire’s memory-scanning capabilities successfully identified all stages, underscoring the importance of behavioral detection in countering layered threats. This bifurcation in execution paths—a hallmark of the Cascading Shadows chain—enhances resilience against detection by allowing attackers to switch payloads dynamically. Tushar is a Cyber security content editor with a passion for creating captivating and informative content. Combined with Advanced WildFire’s multi-stage analysis, organizations can mitigate such threats despite their evolving complexity.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 18:35:08 +0000