New MidgeDropper Variant | FortiGuard Labs

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently found, named MidgeDropper, has a complex infection chain that includes code obfuscation and sideloading, making it an interesting use case. Although we couldn’t obtain the final payload, this blog will still explore what makes this dropper tick.

Initial Infection Vector

The initial infection vector was not available to FortiGuard Labs at the time of our investigation. However, we strongly suspect it to be a phishing e-mail because we have access to an RAR archive—!PENTING_LIST OF OFFICERS.rar—that would have been the likely attachment to an e-mail.

!PENTING_LIST OF OFFICERS.rar

Two files are in the !PENTING_LIST OF OFFICERS.rar archive: “Notice to Work-From-Home groups.pdf” and “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” (Figure 1).

Figure 1: Contents of “!PENTING_LIST OF OFFICERS.rar”.


Figure 1: Contents of “!PENTING_LIST OF OFFICERS.rar”.

Notice to Work-From-Home groups.pdf

The “Notice to Work-From-Home groups.pdf” file is exactly what it appears to be: a PDF file. It contains an image of an error message that falsely indicates that the PDF document failed to load. It is designed to act as a decoy and shift the recipient’s attention to clicking on and executing the “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file. Since file extensions are hidden by default in Windows, it is unlikely that anyone reviewing the contents would see the “.exe” and would instead assume they were opening another PDF file.

Figure 2: Decoy document “Notice to Work-From-Home groups.pdf.”


Figure 2: Decoy document “Notice to Work-From-Home groups.pdf.”

062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe

At 6.7MB, the ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file is large by malware delivery standards. This executable primarily functions as a dropper for the following stages of infection.

The executable drops the files “Microsoft Office.doc,” “IC.exe,” “power.exe,” and “power.xml”. It also reaches out to “hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe” to pull down the file “seAgnt.exe.”

Figure 3: HTTP GET request to download “seAgnt.exe.”


Figure 3: HTTP GET request to download “seAgnt.exe.”

Microsoft Office.doc

This file is dropped and opened from “C:Users<user>AppDataLocalTempMicrosoftOffice.” It is also meant to be a decoy. It is populated in some versions of the dropper, but it was empty and benign in the version analyzed by FortiGuard Labs.

Figure 4: Location of the dropped “Microsoft Office.doc.”


Figure 4: Location of the dropped “Microsoft Office.doc.”

Figure 5: The hex representation of the scant content of “Microsoft Office.doc.”


Figure 5: The hex representation of the scant content of “Microsoft Office.doc.”

IC.exe

“IC.exe” is dropped by “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” and deposited into “C:ProgramDataEmisoftMicrosoftStreamIC.exe.” It is responsible for obtaining the next stage of the infection.

Figure 6: IC.exe being executed.


Figure 6: IC.exe being executed.

“IC.exe” reaches out to a URL at “185[.]225[.]68[.]37” to download an additional file, “VCRUNTIME140_1.dll.”

Figure 7: IC.exe showing its intention to download “VCRUNTIME140_1.dll”.


Figure 7: IC.exe showing its intention to download “VCRUNTIME140_1.dll”.

Figure 8: HTTP GET request to download “VCRUNTIME140_1.dll”.


Figure 8: HTTP GET request to download “VCRUNTIME140_1.dll”.

As can probably be guessed by the filename, “VCRUNTIME140_1.dll” is meant to appear as a file related to the Microsoft Visual C++ Redistributable Package. 

power.exe and power.xml

“power.exe” is dropped along with “power.xml” by ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”.  “power.exe” only has one job: decoding and processing “power.xml.”

Figure 9: power.xml natively before beautification.


Figure 9: power.xml natively before beautification.

Figure 9 shows that “power.xml” in its native format is obfuscated and not readily readable.  This can be easily rectified by removing the garbage characters used for obfuscation.

Figure 10: “power.xml” after beautification with its purpose highlighted.


Figure 10: “power.xml” after beautification with its purpose highlighted.

With obfuscation removed, an XML document remains. Much of the information is irrelevant except for the final section under the “Actions” tag. The primary purpose of this pair of files is to launch “seAgnt.exe.”

seAgnt.exe

“seAgnt.exe” is a renamed copy of “GameBarFTServer.exe,” which is an application published by Microsoft, “Xbox Game Bar Full Trust COM Server.”  It is a background process for the Xbox Game Bar that runs on Windows.

Figure 11: Properties of the “seAgnt.exe” process.


Figure 11: Properties of the “seAgnt.exe” process.

Although itself benign, “seAgnt.exe” does depend on “VCRUNTIME140_1.dll”.  This dependency allows the malicious code inside of the DLL to execute.

Figure 12: “seAgnt.exe” dependencies with “VCRUNTIME140_1.dll” highlighted.


Figure 12: “seAgnt.exe” dependencies with “VCRUNTIME140_1.dll” highlighted.

VCRUNTIME140_1.dll

“VCRUNTIME140_1.dll” is a legitimate DLL that is part of the Microsoft Visual C++ runtime package. Unfortunately, the particular version used here is malicious.

Due to “VCRUNTIME140_1.dll” being a Dynamic Link Library, it doesn’t exist as a separate executable. It has to have assistance via another application to load its code into memory and execute it. “seAgnt.exe” is that application. This technique is called sideloading (https://attack.mitre.org/techniques/T1574/002/) because a dependency of a legitimate application is highjacked to allow the malicious code to load.

Figure 13: “VCRUNTIME140_1.dll” file section list with some non-standard additions.


Figure 13: “VCRUNTIME140_1.dll” file section list with some non-standard additions.

The file is heavily obfuscated and designed to make analysis much more difficult. For example, the figure below shows the massive number of function jumps that attempt to hide the purpose of the code.

Figure 14: Partial view of the execution tree of “VCRUNTIME140_1.dll” showing a considerable number of functions and jumps meant to obfuscate the purpose of the code.


Figure 14: Partial view of the execution tree of “VCRUNTIME140_1.dll” showing a considerable number of functions and jumps meant to obfuscate the purpose of the code.

The rest of the code makes it equally difficult to follow along in a disassembler.

The primary purpose of the code appears to be reaching out to “hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat” to pull down the file “35g3498734gkb.dat”.

Figure 15: Queuing up to download “35g3498734gkb.dat”.


Figure 15: Queuing up to download “35g3498734gkb.dat”.

35g3498734gkb.dat

Oddly, “35g3498734gkb.dat” is identical to “VCRUNTIME140_1.dll” in terms of the file hash, so it’s unclear why the threat actor opted to pull it down again from the C2 node.

Figure 16: “VCRUNTIME140_1.dll” and “35g3498734gkb.dat” are identical files.


Figure 16: “VCRUNTIME140_1.dll” and “35g3498734gkb.dat” are identical files.

Unfortunately, further links on the infection chain were taken down when our analysis began, preventing further analysis of any potential final payloads.

Conclusion

Despite the final payload being unavailable before FortiGuard Labs could analyze it, this dropper made an interesting case study and provided a subject to watch out for.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signature detects the malware samples mentioned in this blog

  • MalwThreat!caa0FT
  • W32/Agent.9CDF!tr

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE trainingNSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

IOCs

File-based IOCs:

Filename

SHA256

!PENTING_LIST OF OFFICERS.rar

2dcf00b0f6c41c2c60561ca92893a0a9bf060e1d46af426de022d0c5d23d8704

Notice to Work-From-Home groups.pdf

30417ca261eefe40f7c44ff956f9940b766ae9a0c574cd1c06a4b545e46f692e

062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe

c22cc7111191e5a1a2010f4bc3127058bff41ecba8d753378feabee37d5b43bb

Microsoft Office.doc

59334a6e2c5faabe3a1baf5347ba01f2419d731fcbb7ab1b021185c059c8fa6f

IC.exe

fc40e782731b8d3b9ec5e5cf8a9d8b8126dc05028ca58ec52db155b3dadc5fc6

power.exe

f26f5a52bddda5eb3245161b784b58635ffa2381818816e50b8bae9680ff88eb

power.xml

f43cca8d2e996ee78edf8d9e64e05f35e94a730fbe51e9feecc5e364280d8534

seAgnt.exe

b3e0388f215ac127b647cd7d3f186f2f666dc0535d66797b6e1adb74f828254e

VCRUNTIME140_1.dll / 35g3498734gkb.dat

527afa0c415af005594acaac1093a1ea79e3639fa5563602497eabbae7438130

Network-based IOCs:

IOC

IOC type

185[.]225[.]69[.]226

C2 Node

hXXp://185[.]225[.]68[.]37/jay/nl/VCRUNTIME140_1.dll

Stage download location

hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe

Stage download location

hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat

Stage download location

Source: https://www.fortinet.com/blog/threat-research/new-midgedropper-variant