Threat Advisory

Agent Tesla and Other Malware Deployed via Lua-Based Loaders on Microsoft Windows

Threat: Malware
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A large-scale campaign that combines fileless techniques and Lua-based loaders with low detection rates to deploy various malware families. These attack campaigns involve the threat actor impersonating well-known companies by creating a sense of urgency through phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file. The execution flow begins by verifying two conditions: the absence of the next-stage files and whether a specific variable is set to 'YESSSSSSSS.' If both conditions are met, the script copies itself to the folder and establishes persistence via a Scheduled Task.

It then extracts hardcoded, encoded data and processes it through a series of steps before saving the resulting data to a specified file path. The dropped.ttf file is actually a disguised Lua script that employs a three-step method for parsing the encoded payload: reversing a hardcoded string, applying replacement rules, and decoding from Base64. The script then applies a custom ROT cipher using the formula 94 – {first_byte} - 128 to ensure the output consists of printable ASCII characters.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A large-scale campaign that combines fileless techniques and Lua-based loaders with low detection rates to deploy various malware families. These attack campaigns involve the threat actor impersonating well-known companies by creating a sense of urgency through phishing attacks. To evade detection, the actor employs multi-layered, highly obfuscated stages, including extensive junk code and an AutoIt/Lua loader masquerading as a TrueType Font (.ttf) file. The execution flow begins by verifying two conditions: the absence of the next-stage files and whether a specific variable is set to 'YESSSSSSSS.' If both conditions are met, the script copies itself to the folder and establishes persistence via a Scheduled Task.

It then extracts hardcoded, encoded data and processes it through a series of steps before saving the resulting data to a specified file path. The dropped.ttf file is actually a disguised Lua script that employs a three-step method for parsing the encoded payload: reversing a hardcoded string, applying replacement rules, and decoding from Base64. The script then applies a custom ROT cipher using the formula 94 – {first_byte} - 128 to ensure the output consists of printable ASCII characters.[emaillocker id="1283"]

The threat actor's goal is to deploy various malware families, including Agent Tesla, Remcos, XWorm, and Best Private LOGGER, by establishing persistence via a Scheduled Task. The campaign has been successful in evading detection due to its multi-layered obfuscation techniques. The financial institutions targeted are at high risk of data theft or follow-on attacks. Defenders should be aware of the threat actor's tactics, techniques, and procedures (TTPs), including their use of Lua-based loaders and fileless techniques. They should also be prepared for the possibility of lateral movement and remote control following initial compromise.

THREAT PROFILE:

Tactic Technique Id Technique Sub-technique
Initial access T1566.002 Phishing Spearphishing Link
Execution T1059.006 Command and Scripting Interpreter Python
Execution T1059.007 Command and Scripting Interpreter JavaScript
Persistence T1053.005 Scheduled Task/Job Scheduled Task
Defence Evasion T1027 Obfuscated Files or Information -
Defence Evasion T1027.002 Obfuscated Files or Information Software Packing

MBC MAPPING:

Objective Behavior ID Behavior
Anti-Static Analysis B0032 Executable Code Obfuscation
Anti-Behavioral Analysis B0003 Dynamic Analysis Evasion
Execution E1204 User Execution
Persistence F0012 Registry Run Keys / Startup Folder
Exfiltration E1020 Automated Exfiltration
Discovery E1083 File and Directory Discovery
Command & Control B0030 C2 Communication
Defense Evasion B0029 Polymorphic Code

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu