A recent malware campaign used a VBA macro in a Word document to download and execute a 64-bit Rust binary. This binary employs fileless injection techniques to load a malicious AgentTesla payload into its memory space. The malware leverages CLR hosting, a mechanism for native processes to execute.NET code, to achieve this, and the.NET runtime libraries are loaded dynamically, allowing the malware to operate without writing files to disc. The malware disables Event Tracing for Windows (ETW) by patching the “EtwEventWrite” API and then downloads a shellcode containing the AgenetTesla payload from a specific URL.
Source: GBHackers