Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium
One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently found, named MidgeDropper, has a complex infection chain that includes code obfuscation and sideloading, making it an interesting use case. Although we couldn’t obtain the final payload, this blog will still explore what makes this dropper tick.
Initial Infection Vector
The initial infection vector was not available to FortiGuard Labs at the time of our investigation. However, we strongly suspect it to be a phishing e-mail because we have access to an RAR archive—!PENTING_LIST OF OFFICERS.rar—that would have been the likely attachment to an e-mail.
!PENTING_LIST OF OFFICERS.rar
Two files are in the !PENTING_LIST OF OFFICERS.rar archive: “Notice to Work-From-Home groups.pdf” and “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” (Figure 1).
Figure 1: Contents of “!PENTING_LIST OF OFFICERS.rar”.
Notice to Work-From-Home groups.pdf
The “Notice to Work-From-Home groups.pdf” file is exactly what it appears to be: a PDF file. It contains an image of an error message that falsely indicates that the PDF document failed to load. It is designed to act as a decoy and shift the recipient’s attention to clicking on and executing the “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file. Since file extensions are hidden by default in Windows, it is unlikely that anyone reviewing the contents would see the “.exe” and would instead assume they were opening another PDF file.
Figure 2: Decoy document “Notice to Work-From-Home groups.pdf.”
062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe
At 6.7MB, the ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file is large by malware delivery standards. This executable primarily functions as a dropper for the following stages of infection.
The executable drops the files “Microsoft Office.doc,” “IC.exe,” “power.exe,” and “power.xml”. It also reaches out to “hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe” to pull down the file “seAgnt.exe.”
Figure 3: HTTP GET request to download “seAgnt.exe.”
Microsoft Office.doc
This file is dropped and opened from “C:Users<user>AppDataLocalTempMicrosoftOffice.” It is also meant to be a decoy. It is populated in some versions of the dropper, but it was empty and benign in the version analyzed by FortiGuard Labs.
Figure 4: Location of the dropped “Microsoft Office.doc.”
Figure 5: The hex representation of the scant content of “Microsoft Office.doc.”
IC.exe
“IC.exe” is dropped by “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” and deposited into “C:ProgramDataEmisoftMicrosoftStreamIC.exe.” It is responsible for obtaining the next stage of the infection.
Figure 6: IC.exe being executed.
“IC.exe” reaches out to a URL at “185[.]225[.]68[.]37” to download an additional file, “VCRUNTIME140_1.dll.”
Figure 7: IC.exe showing its intention to download “VCRUNTIME140_1.dll”.
Figure 8: HTTP GET request to download “VCRUNTIME140_1.dll”.
As can probably be guessed by the filename, “VCRUNTIME140_1.dll” is meant to appear as a file related to the Microsoft Visual C++ Redistributable Package.
power.exe and power.xml
“power.exe” is dropped along with “power.xml” by ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”. “power.exe” only has one job: decoding and processing “power.xml.”
Figure 9: power.xml natively before beautification.
Figure 9 shows that “power.xml” in its native format is obfuscated and not readily readable. This can be easily rectified by removing the garbage characters used for obfuscation.
Figure 10: “power.xml” after beautification with its purpose highlighted.
With obfuscation removed, an XML document remains. Much of the information is irrelevant except for the final section under the “Actions” tag. The primary purpose of this pair of files is to launch “seAgnt.exe.”
seAgnt.exe
“seAgnt.exe” is a renamed copy of “GameBarFTServer.exe,” which is an application published by Microsoft, “Xbox Game Bar Full Trust COM Server.” It is a background process for the Xbox Game Bar that runs on Windows.
Figure 11: Properties of the “seAgnt.exe” process.
Although itself benign, “seAgnt.exe” does depend on “VCRUNTIME140_1.dll”. This dependency allows the malicious code inside of the DLL to execute.
Figure 12: “seAgnt.exe” dependencies with “VCRUNTIME140_1.dll” highlighted.
VCRUNTIME140_1.dll
“VCRUNTIME140_1.dll” is a legitimate DLL that is part of the Microsoft Visual C++ runtime package. Unfortunately, the particular version used here is malicious.
Due to “VCRUNTIME140_1.dll” being a Dynamic Link Library, it doesn’t exist as a separate executable. It has to have assistance via another application to load its code into memory and execute it. “seAgnt.exe” is that application. This technique is called sideloading (https://attack.mitre.org/techniques/T1574/002/) because a dependency of a legitimate application is highjacked to allow the malicious code to load.
Figure 13: “VCRUNTIME140_1.dll” file section list with some non-standard additions.
The file is heavily obfuscated and designed to make analysis much more difficult. For example, the figure below shows the massive number of function jumps that attempt to hide the purpose of the code.
Figure 14: Partial view of the execution tree of “VCRUNTIME140_1.dll” showing a considerable number of functions and jumps meant to obfuscate the purpose of the code.
The rest of the code makes it equally difficult to follow along in a disassembler.
The primary purpose of the code appears to be reaching out to “hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat” to pull down the file “35g3498734gkb.dat”.
Figure 15: Queuing up to download “35g3498734gkb.dat”.
35g3498734gkb.dat
Oddly, “35g3498734gkb.dat” is identical to “VCRUNTIME140_1.dll” in terms of the file hash, so it’s unclear why the threat actor opted to pull it down again from the C2 node.
Figure 16: “VCRUNTIME140_1.dll” and “35g3498734gkb.dat” are identical files.
Unfortunately, further links on the infection chain were taken down when our analysis began, preventing further analysis of any potential final payloads.
Conclusion
Despite the final payload being unavailable before FortiGuard Labs could analyze it, this dropper made an interesting case study and provided a subject to watch out for.
Fortinet Protections
Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:
The following (AV) signature detects the malware samples mentioned in this blog
- MalwThreat!caa0FT
- W32/Agent.9CDF!tr
The WebFiltering client blocks all network-based URIs.
Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.
If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.
IOCs
File-based IOCs:
Filename |
SHA256 |
!PENTING_LIST OF OFFICERS.rar |
2dcf00b0f6c41c2c60561ca92893a0a9bf060e1d46af426de022d0c5d23d8704 |
Notice to Work-From-Home groups.pdf |
30417ca261eefe40f7c44ff956f9940b766ae9a0c574cd1c06a4b545e46f692e |
062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe |
c22cc7111191e5a1a2010f4bc3127058bff41ecba8d753378feabee37d5b43bb |
Microsoft Office.doc |
59334a6e2c5faabe3a1baf5347ba01f2419d731fcbb7ab1b021185c059c8fa6f |
IC.exe |
fc40e782731b8d3b9ec5e5cf8a9d8b8126dc05028ca58ec52db155b3dadc5fc6 |
power.exe |
f26f5a52bddda5eb3245161b784b58635ffa2381818816e50b8bae9680ff88eb |
power.xml |
f43cca8d2e996ee78edf8d9e64e05f35e94a730fbe51e9feecc5e364280d8534 |
seAgnt.exe |
b3e0388f215ac127b647cd7d3f186f2f666dc0535d66797b6e1adb74f828254e |
VCRUNTIME140_1.dll / 35g3498734gkb.dat |
527afa0c415af005594acaac1093a1ea79e3639fa5563602497eabbae7438130 |
Network-based IOCs:
IOC |
IOC type |
185[.]225[.]69[.]226 |
C2 Node |
hXXp://185[.]225[.]68[.]37/jay/nl/VCRUNTIME140_1.dll |
Stage download location |
hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe |
Stage download location |
hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat |
Stage download location |
Source: https://www.fortinet.com/blog/threat-research/new-midgedropper-variant