Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis

    Friday, April 18, 2025 In: Threat Research Print

    Date: 04/18/2025

    Severity: High

    Summary

    In December 2024, we identified a multi-stage attack chain used to deliver malware such as Agent Tesla variants, Remcos RAT, and XLoader. Attackers are increasingly adopting layered delivery tactics to bypass detection tools and traditional sandboxes. The phishing campaign we examined disguised itself as an order release request, delivering a malicious attachment. The attack chain used several execution paths to evade defenses and hinder analysis.

    Indicators of Compromise (IOC) List

    Domains\Urls : 

    ftp://ftp.jeepcommerce.rs

    Hash : 

    00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5

    f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd

    d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2

    550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8

    61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49

    7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25

    8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994

    c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains \ Urls :

    domainname like "ftp://ftp.jeepcommerce.rs" or url like "ftp://ftp.jeepcommerce.rs" or siteurl like "ftp://ftp.jeepcommerce.rs"

    Hash : 

    sha256hash IN ("d616aa11ee05d48bb085be1c9bad938a83524e1d40b3f111fa2696924ac004b2","550f191396c9c2cbf09784f60faab836d4d1796c39d053d0a379afaca05f8ee8","00dda3183f4cf850a07f31c776d306438b7ea408e7fb0fc2f3bdd6866e362ac5","7fefb7a81a4c7d4a51a9618d9ef69e951604fa3d7b70d9a2728c971591c1af25","f4625b34ba131cafe5ac4081d3f1477838afc16fedc384aea4b785832bcdbfdd","8cdb70f9f1f38b8853dfad62d84618bb4f10acce41e9f0fddab422c2c253c994","c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2","61466657b14313134049e0c6215266ac1bb1d4aa3c07894f369848b939692c49")

    Reference:    

    https://unit42.paloaltonetworks.com/phishing-campaign-with-complex-attack-chain/


    Tags

    RATXloaderCascading ShadowsMalwareAgent TeslaRemcos RAT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.