Executive Summary

Researchers at Bitdefender have uncovered a malware campaign that uses the allure of a pirated movie to infect Windows users with the Agent Tesla information stealer. The attackers are distributing a fake torrent file for a non-existent Leonardo DiCaprio movie titled "One Battle After Another." The infection process is highly convoluted, designed to bypass security software and user suspicion. It involves multiple stages of scripts and decryption, culminating in a memory-only execution of Agent Tesla, a potent trojan known for its ability to steal credentials, keystrokes, and other sensitive data.

Threat Overview

The attack preys on users searching for pirated content on torrent websites. The downloaded torrent appears suspicious, containing a large number of files rather than a single video file. The core of the attack is a malicious .lnk shortcut file disguised as a movie launcher. When the user clicks this shortcut, it triggers a complex chain of events designed to download and execute the final malware payload without being detected.

Technical Analysis

The multi-stage attack chain is designed for stealth and evasion:

1. Initial Execution (T1204.002 - Malicious File): The user clicks a malicious .lnk file within the torrent download.

2. Scripting and Obfuscation (T1059.001 - PowerShell): The shortcut file executes a PowerShell command. This command reads and executes hidden batch commands embedded within other files in the torrent, such as subtitle files (.srt). This is a form of steganography (T1027.003 - Steganography).

3. Multi-Layered Execution: The initial scripts lead to further layers of PowerShell execution. These scripts download image archives which contain AES-encrypted payloads. The decryption key is passed through the chain of scripts.

4. Persistence (T1547.001 - Registry Run Keys / Startup Folder): To ensure it survives a reboot, the malware creates a scheduled task disguised as a legitimate "Realtek audio diagnostic task."

5. Final Payload (Fileless Execution): The final payload is the Agent Tesla executable, which is decrypted and loaded directly into memory. This fileless technique means no malicious executable is written to the disk, making it much harder for traditional file-based antivirus scanners to detect.

Impact Assessment

Once active, Agent Tesla is a powerful information stealer. It can:

• Log keystrokes to capture everything the user types.
• Steal credentials stored in web browsers, email clients, and FTP clients.
• Take screenshots of the user's desktop.
• Exfiltrate the stolen data to an attacker-controlled C2 server.

A successful infection can lead to the compromise of numerous online accounts, including email, banking, and social media, resulting in financial loss and identity theft.

IOCs

No specific IOCs such as file hashes or C2 domains were provided in the source reports.

Cyber Observables for Detection

• Suspicious Scheduled Tasks: Look for newly created scheduled tasks with suspicious names or actions, especially those disguised as legitimate software updates or diagnostics (e.g., 'Realtek audio diagnostic').
• PowerShell Execution: Monitor for PowerShell processes that are launched with encoded commands or that read from unusual file types like .srt or .txt.
• .LNK File Execution: Execution of .lnk files from untrusted locations like a 'Downloads' folder should be considered suspicious.

Detection & Response

1. EDR and Behavioral Analysis: Use an advanced EDR solution that can detect fileless malware by monitoring process behavior, memory, and PowerShell activity. This aligns with D3FEND Process Analysis.
2. PowerShell Logging: Ensure PowerShell Script Block Logging (Event ID 4104) is enabled. This will log the de-obfuscated content of PowerShell scripts, revealing the malware's actions.
3. Threat Hunting: Hunt for the creation of suspicious scheduled tasks and for parent-child process relationships where cmd.exe or powershell.exe are spawned by unexpected applications.

Mitigation

1. User Education: The most effective mitigation is to educate users on the dangers of downloading pirated software and media. Emphasize that content like movies still in theaters is almost certainly a trap. This is a direct application of MITRE ATT&CK Mitigation M1017 - User Training.
2. Endpoint Protection: Use a modern endpoint security solution with behavioral detection capabilities to identify and block malicious scripts and memory-resident threats.
3. Restrict Scripting: Where possible, use application control or Group Policy to restrict the execution of PowerShell and other scripting languages for standard users.
4. Show File Extensions: Configure Windows to always show file extensions. This helps users spot when a file pretending to be a video is actually a shortcut (.lnk) or script (.bat, .vbs).