Fortinet’s FortiGuard Labs documented a phishing campaign that delivers three fileless malware to Windows hosts, enabling attacker control and data theft via a C2 channel. The payloads AveMariaRAT, PandorahVNC RAT, and BitRat steal credentials, capture screens/webcams, and execute commands through a centralized C2 server. #AveMariaRAT #PandorahVNC #BitRat #DuckDNS
Keypoints
- Phishing campaign targets Microsoft Windows users and delivers three fileless malware payloads.
- Ave MariaRAT injects into a created aspnet_compiler.exe process and uses RC4 for config and C2 traffic, with UAC/Defender bypass options.
- PandorahVNC RAT uses process hollowing to load its core module into cvtres.exe and registers with the C2 server, transmitting victim data.
- BitRat provides a large feature set (172 commands) including screen/webcam capture, keylogging, clipboard, and remote control with extensive plugin support.
- All three strains communicate with a C2 server over encrypted channels (RC4, TLS 1.2 with AES-256) and exfiltrate victim information/credentials.
- Fortinet protections (Web Filtering, Antivirus, FortiEDR, and CDR) detect and block these components and advise user awareness training.
MITRE Techniques
- [T1055] Process Injection – Ave MariaRAT is injected into a newly-created “aspnet_compiler.exe” process on the victim’s device and then run. “injected into a newly-created “aspnet_compiler.exe” process on the victim’s device and then run.”
- [T1055.012] Process Hollowing – PandorahVNC RAT deploys its core module into a newly-created process, “cvtres.exe”, using process hollowing. “deploys the core module into a newly-created process, “cvtres.exe” … using process hollowing.”
- [T1027] Obfuscated/Compressed Files and Information – Ave Maria uses RC4 to encrypt its configuration block and RC4-encrypted C2 traffic; “A configuration block that is RC4 encrypted within its PE structure’s ‘.bss’ section” and “RC4 encrypted with a constant encryption key ‘warzone160’.”
- [T1041] Exfiltration Over C2 Channel – Data such as credentials and basic device info is sent to the C2 server; “collects basic information from the victim’s device and sends it to the C2 server.”
- [T1555.003] Credentials from Web Browsers – Password Manager feature aims to steal credentials from browsers and other apps; “Password Manager feature aims to steal credentials from a group of apps, listed below, including internet browsers and email clients.”
- [T1021] Remote Services – Start the Remote VNC feature to control the victim’s device; “Start the Remote VNC.”
- [T1113] Screen Capture – BitRat/BitRat-related capabilities include showing a preview of the screen; “Show a preview of screen or webcam.”
- [T1125] Video Capture – PandorahVNC/PandoraHVNC includes webcam capture features; “Start victim’s camera.”
- [T1112] Modify Registry – PandoraHVNC-like capabilities include registry-related commands (e.g., “reg_hkeys_get”, “reg_keys_root_get”); “Obtain a list of HKEYs (Handles to the Keys) of the victim’s system registry.”
- [T1082] System Information Discovery – Stage Two involves collecting basic information about the victim’s device; “It collects basic information from the victim’s device.”
Indicators of Compromise
- [Domain] C2 domains – vncgoga.duckdns.org:1338, maraipasoo.duckdns.org:890
- [Domain] Additional C2 domains – mubbibun.duckdns.org:999, danseeeee.duckdns.org:2022
Read more: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware-part-two