Multi-Stage Malware Attack Uses .JSE and PowerShell to Deploy Agent Tesla and XLoader
Summary:
In December 2024, Palo Alto Networks researchers uncovered a highly structured, multi-stage malware campaign that relied on layered delivery mechanisms to distribute variants of Agent Tesla, Remcos RAT, and XLoader. This campaign began with a phishing email disguised as a legitimate order release notice, claiming a payment had been made and urging the recipient to review the attached file. The attachment, a .7z archive named to resemble a document, contained a JavaScript Encoded script. Once executed, the JSE file acted as a downloader that retrieved a PowerShell script from a remote server.
The PowerShell script itself was relatively simple but effective—it carried a Base64-encoded payload, which was decoded and written to the system’s temporary directory before being executed. This launched the second stage of the attack, which diverged down one of two paths: the payload would either be a .NET-compiled executable or an AutoIt-compiled executable. Both paths emphasized detection evasion through multi-layered execution rather than deep obfuscation.
The .NET executable variant decrypted an embedded payload using symmetric encryption algorithms such as AES or Triple DES, then injected it into a running RegAsm.exe process—a legitimate Windows utility often abused in process hollowing and injection techniques. Two samples analyzed in dnSpy revealed consistent behavior, including identical function calls used for payload injection and process manipulation. These samples dropped either Agent Tesla variants, some consistent with Snake Keylogger behavior, or XLoader, another well-known infostealer and loader.
Alternatively, when the PowerShell script delivered an AutoIt-compiled executable, the attack added further complexity. The AutoIt binary included an embedded, encrypted payload that, once decrypted, injected shellcode into the RegSvcs[.]exe process. This process in turn reflectively loaded a .NET binary containing an Agent Tesla variant protected with .NET Reactor, a commercial obfuscation tool designed to prevent reverse engineering and dynamic analysis. Analysis of the AutoIt dropper in IDA Pro revealed that it used the DLLCALLADDRESS function, a common AutoIt technique to resolve and call shellcode stored in memory. The shellcode was decrypted and launched through a memory-resident injection routine, bypassing disk-based defenses entirely.
Security Officer Comments:
The campaign demonstrated deliberate design: rather than relying on one sophisticated method, the attackers used a chain of lightweight, discrete stages to complicate analysis, evade sandbox detection, and maintain flexibility in payload delivery. Each email campaign appeared to originate from a unique address and included regional targeting elements, such as messages written in Croatian and fake business correspondence relevant to specific industries.
Suggested Corrections:
Link(s):
https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.html
In December 2024, Palo Alto Networks researchers uncovered a highly structured, multi-stage malware campaign that relied on layered delivery mechanisms to distribute variants of Agent Tesla, Remcos RAT, and XLoader. This campaign began with a phishing email disguised as a legitimate order release notice, claiming a payment had been made and urging the recipient to review the attached file. The attachment, a .7z archive named to resemble a document, contained a JavaScript Encoded script. Once executed, the JSE file acted as a downloader that retrieved a PowerShell script from a remote server.
The PowerShell script itself was relatively simple but effective—it carried a Base64-encoded payload, which was decoded and written to the system’s temporary directory before being executed. This launched the second stage of the attack, which diverged down one of two paths: the payload would either be a .NET-compiled executable or an AutoIt-compiled executable. Both paths emphasized detection evasion through multi-layered execution rather than deep obfuscation.
The .NET executable variant decrypted an embedded payload using symmetric encryption algorithms such as AES or Triple DES, then injected it into a running RegAsm.exe process—a legitimate Windows utility often abused in process hollowing and injection techniques. Two samples analyzed in dnSpy revealed consistent behavior, including identical function calls used for payload injection and process manipulation. These samples dropped either Agent Tesla variants, some consistent with Snake Keylogger behavior, or XLoader, another well-known infostealer and loader.
Alternatively, when the PowerShell script delivered an AutoIt-compiled executable, the attack added further complexity. The AutoIt binary included an embedded, encrypted payload that, once decrypted, injected shellcode into the RegSvcs[.]exe process. This process in turn reflectively loaded a .NET binary containing an Agent Tesla variant protected with .NET Reactor, a commercial obfuscation tool designed to prevent reverse engineering and dynamic analysis. Analysis of the AutoIt dropper in IDA Pro revealed that it used the DLLCALLADDRESS function, a common AutoIt technique to resolve and call shellcode stored in memory. The shellcode was decrypted and launched through a memory-resident injection routine, bypassing disk-based defenses entirely.
Security Officer Comments:
The campaign demonstrated deliberate design: rather than relying on one sophisticated method, the attackers used a chain of lightweight, discrete stages to complicate analysis, evade sandbox detection, and maintain flexibility in payload delivery. Each email campaign appeared to originate from a unique address and included regional targeting elements, such as messages written in Croatian and fake business correspondence relevant to specific industries.
Suggested Corrections:
- Block Script Execution: Disable .JSE, .VBS, and .PS1 script execution via Group Policy or endpoint security tools.
- Harden Email Security: Use advanced email filters to block suspicious archive attachments and scan embedded scripts.
- Monitor for LOLBin Abuse: Detect abnormal use of RegAsm.exe and RegSvcs.exe, often used for malware injection.
- Use DNS and Web Filtering: Block malicious domains and inspect outbound traffic for command-and-control behavior.
- Enable Behavior-Based Detection: Deploy tools like WildFire or EDR/XDR to catch multi-stage malware based on memory and behavior patterns.
- Train Users: Educate staff to recognize phishing emails and avoid opening suspicious attachments.
Link(s):
https://thehackernews.com/2025/04/multi-stage-malware-attack-uses-jse-and.html