Keypoints
- MidgeDropper likely delivered via a phishing attachment (!PENTING_LIST OF OFFICERS.rar) containing a decoy PDF and a malicious executable masquerading as a PDF.
- The dropper executable (062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe) drops Microsoft Office.doc, IC.exe, power.exe, power.xml and downloads seAgnt.exe from 185[.]225[.]68[.]37.
- IC.exe downloads a malicious VCRUNTIME140_1.dll from the same host; seAgnt.exe (renamed GameBarFTServer.exe) loads that DLL, enabling DLL sideloading to run malicious code.
- power.exe decodes and processes an obfuscated power.xml which instructs the chain to launch seAgnt.exe, linking the XML-driven logic to execution flow.
- The malicious VCRUNTIME140_1.dll is heavily obfuscated, contains many function jumps, and attempts to download 35g3498734gkb.dat (identical to the DLL) from the C2 server.
- Further analysis of a potential final payload was blocked after the threat infrastructure was taken down; Fortinet provides signatures and network blocks for protection.
MITRE Techniques
- [T1566] Phishing – ‘we strongly suspect it to be a phishing e-mail because we have access to an RAR archive—!PENTING_LIST OF OFFICERS.rar—that would have been the likely attachment to an e-mail.’
- [T1204] User Execution – ‘designed to act as a decoy and shift the recipient’s attention to clicking on and executing the “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file.’
- [T1105] Ingress Tool Transfer – ‘reaches out to “hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe” to pull down the file “seAgnt.exe”.’
- [T1574.002] DLL Side-Loading – ‘seAgnt.exe depends on “VCRUNTIME140_1.dll”. This dependency allows the malicious code inside of the DLL to execute.’
- [T1027] Obfuscated Files or Information – ‘The file is heavily obfuscated and designed to make analysis much more difficult.’
- [T1036] Masquerading – ‘seAgnt.exe is a renamed copy of “GameBarFTServer.exe,” which is an application published by Microsoft, “Xbox Game Bar Full Trust COM Server.”‘
Indicators of Compromise
- [Filename] dropper and staged binaries – 062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe, seAgnt.exe
- [Filename] supporting files – power.xml, VCRUNTIME140_1.dll (also provided as 35g3498734gkb.dat)
- [SHA256] example hashes – c22cc7111191e5a1a2010f4bc3127058bff41ecba8d753378feabee37d5b43bb (dropper), 527afa0c415af005594acaac1093a1ea79e3639fa5563602497eabbae7438130 (VCRUNTIME140_1.dll), and 7 more hashes
- [IP address] C2 / stage host – 185[.]225[.]68[.]37, 185[.]225[.]69[.]226
- [URLs] staged download locations – hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe, hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat
The dropper archive contains two items: a decoy PDF that displays an error message to trick users and a large executable named to look like a PDF. When executed, the dropper writes multiple files to disk (Microsoft Office.doc to %LocalTemp%, IC.exe to C:ProgramDataEmisoftMicrosoftStream, power.exe, and power.xml) and performs HTTP GET requests to 185.225.68[.]37 to retrieve seAgnt.exe. IC.exe separately downloads VCRUNTIME140_1.dll from the same host. power.exe’s sole function is to decode and process the obfuscated power.xml, whose final Actions node directs the launch of seAgnt.exe.
seAgnt.exe is a benign Microsoft Xbox Game Bar component (GameBarFTServer.exe) renamed and used to load VCRUNTIME140_1.dll as a dependency, enabling DLL side-loading to run the malicious DLL code in the context of a legitimate process. The VCRUNTIME140_1.dll sample is heavily obfuscated with many function jumps to impede analysis and reaches back to the C2 at hxxp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat to fetch a file that, in the analyzed instance, was identical to the DLL already present.
Analysis was cut short when additional C2 resources were taken offline, preventing retrieval of any distinct final payload. Mitigation should include blocking the listed URLs/IPs, detecting the provided file hashes, training users to avoid executing attachments, and monitoring for DLL sideloading patterns involving GameBarFTServer.exe or similarly renamed Windows components. Read more: https://www.fortinet.com/blog/threat-research/new-midgedropper-variant