{"id":19132,"date":"2022-05-28T19:03:09","date_gmt":"2022-05-29T03:03:09","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12865\/"},"modified":"2022-05-28T19:03:09","modified_gmt":"2022-05-29T03:03:09","slug":"news-12865","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/05\/28\/news-12865\/","title":{"rendered":"Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT \/ BitRAT \/ PandoraHVNC \u2013 Part II"},"content":{"rendered":"
\n
\n
<\/div>\n<\/p><\/div>\n
\n

Fortinet\u2019s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim\u2019s device. Once executed, they are able to control and steal sensitive information from that device to perform other actions according to the control commands from their server.<\/span><\/p>\n

In Part I of this analysis<\/a>, I introduced how these three fileless malware are delivered to the victim\u2019s device via a phishing campaign, and what mechanism it uses to load, deploy, and execute these fileless malware in the target process.<\/p>\n

In Part II, I will focus on the three malware payloads and elaborate on how they steal sensitive information from the victim\u2019s device, how they submit data to their C2 server, details about the control commands, as well as what they can perform with those control commands. <\/p>\n

Affected platforms:<\/b> Microsoft Windows
Impacted parties:<\/b> Microsoft Windows Users
Impact:<\/b> Controls victim\u2019s device and collects sensitive information
Severity level:<\/b> Critical <\/p>\n

Fileless Malware 1 – AveMariaRAT<\/h2>\n

\u201cAve Maria\u201d is a RAT (Remote Access Trojan), also known as WARZONE RAT. It offers a wide range of features, such as stealing victim\u2019s sensitive information and remote controlling an infected device, including privilege escalation, remote desktop control, camera capturing, and more.<\/p>\n

It is the first of the three malware (refer to Figure 3.3 of the previous analysis<\/a>) to be injected into a newly-created \u201caspnet_compiler.exe\u201d process on the victim\u2019s device and then run.<\/p>\n

Step One:<\/h3>\n

Ave Maria has a configuration block that is RC4 encrypted within its PE structure\u2019s \u201c.bss\u201d section. The decryption key and encrypted data are together within the \u201c.bss\u201d. When the malware starts, it first decrypts the configuration block. Figure 1.1 shows the decrypted data in memory.<\/p>\n<\/p><\/div>\n