Threat Research

Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat

By Cara Lin | October 03, 2022

We recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat. Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data. njRat (also known as Bladabindi) is a remote agent Trojan first discovered in 2013 that is capable of remotely controlling a victim’s device to log keystrokes, access the camera, steal credentials stored in browsers, upload/download files, manipulate the registry, and more.

Affected platforms: Microsoft Windows
Impacted parties: Windows users
Impact: Control and collect sensitive information from a victim’s device
Severity level: Critical

In this article we will provide details of the documents we discovered, their embedded scripts used to deliver a payload, and the behavior of these malware variants.

1st Stage

In September 2022 we collected two kinds of files. One is a PowerPoint Add-in and another is a Word document that contained a lure picture and an embedded Excel form. Both files included similar VBA scripts that execute a macro right after opening the document.

Based on the VBA script in the PPT add-in, shown in Figure 1, the code is automatically triggered because it uses the “Auto_Open()” function. Its “ControlTipText” and “Tag” fields contain the complete command “mshta” and the MediaFire URL. We can see the full URL in “vbaProject.bin”.

Figure 1: The VBA macro from the PPT add-In
Figure 2: Complete malicious URL in the vbaProject.bin file

2nd Stage

We can see from Process Explorer shown in Figure 3 that the “mshta” process started right after clicking “Enable Macros” in the document. This leads to the MediaFire website, which is a legitimate file and picture sharing platform.

Figure 3: Process Explorer after clicking “Enable Macros”

Below is the content of “1.htm” from the first stage VBA macro:

Figure 4: “1.htm” downloaded from MediaFire

Figure 5 shows a clearer picture after converting some hex to ascii string.

Figure 5: Converted "1.htm"
This HTML file has three main jobs:
  1. Deliver a third-stage script file from the MediaFire site
  2. Kill the task WINWORD.EXE
  3. Add persistence by creating a scheduled task. It uses “mshta” to connect to the “http[:]//www.webclientservices.co[.]uk/p/1[.]html” site, which contains a similar script every 73 minutes. The blog screenshot seen below is from September 2022:
Figure 6: Web page of www[.]webclientservices[.]co[.]uk/p/1[.]html in the middle of September

We also discovered that the 1.html file in “www[.]webclientservices[.]co[.]uk” had been updated and renamed as “real all BACK SEP 2022”. The embedded JavaScript was also changed and now delivers other malware. More details are in the following section.

Figure 7: Updated page of www[.]webclientservices[.]co[.]uk/p/1[.]html found at the end of September

3rd Stage

The PowerShell script in “1.txt”, downloaded from MediaFire, delivers its final payload via the process hollowing technique. It first kills all related processes and decodes the loader and payload. It then invokes the final payload and deploys it, bypassing AMSI. The main malware and part of the code are encoded and replaced with strings to increase the difficulty of analysis.

Figure 8: Full picture of the PowerShell used to load Agent Tesla
Figure 9: Process Explorer after PowerShell is executed

In the second part of the “Load Agent Tesla Payload” process, the variables $CLE11 and $RNBX1 are the final payload and the loader after replacing some strings. Based on different version of .NET, it customizes paths for proceeding with the process hollowing activity:

$Path = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'

$Path2 = 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe'

$Path3 = 'C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe

      [Ref]/Assembly::Load((HexaToByte($RNBX1))).GetType('CALC'.PAYSIAS'.'GetMethod'(Execute).Invoke($null,[object[]] ($Path, HexaToByte($CLE11)));

We saved $RNBX1 as an executable file and opened it with dnSpy. The target class and method can be seen in Figure 10. This .Net loader leverages some obfuscation to hide the main APIs (CreateProcess, VirtualAllocEx…, etc.)

Figure 10: .Net Loader

We located the targeted processes, “jsc.ex”, “caspol.exe” and “Msbuild.exe”, running quietly in the victim’s machine. The details are shown in Figure 11.

Figure 11: Process Explorer while process hollowing

In the end of the PowerShell section, it disables logging and bypasses AMSI by patching it. Detail steps can be seen in Figure 12.

Figure 12: Bypassing AMSI in PowerShell

Final Stage – Part 1

The first malware payload is Agent Tesla. This variant began spreading in the middle of September. It includes legitimate file information, "Web Browser Password Viewer" from the company “NirSoft”, and uses FTP to send out stolen data.

Figure 13: Basic information of Agent Tesla

Figure 14 is a screenshot of the attacker’s FTP server information, including username and password, used for transferring extracted data. This variant also copies itself into the %appdata% directory with the filename “NGCwje.exe” for persistence.

Figure 14: The attacker’s server information

It then starts to extract the victim device’s information, such as serial number of the base board, processor ID, and MAC address. It then generates an MD5 hash for this data.

Figure 15: Generating an Md5 hash for the victim machine’s information

Agent Tesla uses a typical application list to steal login credentials, cookies, mail information, and VPN data. A partial set of these items can be seen in the following figure:

Figure 16: List for targeted browser applications

Once the malware retrieves the credentials and other information from the victim’s machine, it sends this data via FTP protocol using hardcoded IP. 

Figure 17: Utilizing the FTP protocol
Figure 18: Traffic capture from the victim's machine

Based on the different types of files it encounters, it utilizes four kinds of opening strings: “CO” is for cookie data, “KL” is for keyboard logging, “PW” is for the victim’s password information, and “SC” is for screenshot files. The malware uses underlines to connect the type of data, username, device name, and timestamp together for the filename for the data ZIP file. The list of stolen zip files is shown as below:

Figure 19: Partial list of the Zip files on the FTP server

Final Stage – Part 2

The second payload is njRat, also known as Bladabindi. It is a .NET Trojan for controlling and spying on a victim’s device. This variant uses obfuscation for its string generation and code flow. From an IDA graph overview of method ko(), you can see that this variant is more complex, but you can still identify the similar functions.

Figure 20: IDA graph overview
Figure 21: The entry point of njRat
Figure 22: String decoding function

First, it creates lnk and exe files in the “Startup” and “Templates” folder with the filename “Windows”. This name is used to trick users and analysts into thinking it is a legitimate Windows file.

Figure 23: Creating persistence

It then gets its command and control server hostname and port number in reverse order.

Figure 24: Command and control server information

To make sure this malware only runs on this victim once, it adds “HKEY_CURRENT_USER” with name “di” and data “!”.

Figure 25: Adding to the registry in “HKEY_CURRENT_USER”
Figure 26: Registry status

It also creates a mutex with the string “Windows”, sets the environment variable “SEE_MASK_NOZONECHECKS” to 1, and checks if this mutex had been created before. If yes, it ends the process.

Figure 27: Creating a mutex
Figure 28: Setting the environment variable

After it collects the machine’s information, it uses base64 to encode it and concatenates the data, as seen in Figure 29. It then transfers the data to server “mobnew6565[.]duckdns[.]org” using hardcoded TCP port 7575.

Figure 29: Concatenated data

Following is the C2 traffic from the Win10 victim machine. The separator changes to “|-F-|” and version is “v4.0”, but the format for the packet is similar to the old njRat version:

<message length>.<command>|-F-|<data> 

Figure 30: Traffic captured from the victim

Besides Agent Tesla and njRat, we also found a short script in the updated HTML file “www.webclientservices.co[.]uk/p/1[.]html” that downloads a miner to “C:\\ProgramData”. This is odd behavior since each step in this attack chain is trying to not leave any physical trace or file on the victim’s machine. We think this might be a distraction for victims so as to not notice that another process is loading njRat.

Figure 31: JavaScript that downloads a miner
Figure 32: Process Explorer view for njRat and miner

Conclusion

Agent Tesla and njRat have both been highly active malware for years. Their functions are mature and easy to use for spying on or stealing information. As we mentioned previously, the malicious URL keeps updating its embedded JavaScript, which means these phishing emails and lure office documents are always an efficient way to spread this malware. All the VBA macro, PowerShell, and JavaScript code embedded in the website can deploy fileless attacks and also evade some virus detection by obfuscating or encoding the strings.

Users should always be wary of any office document or unknown file containing links to external websites.

Figure 33: Attack flow

Fortinet Protections

The VBA macro and all related malware are detected and blocked by FortiGuard Antivirus:

VBA/Agent.AIN!tr
MSIL/Agent.CJX!tr.spy
MSIL/Agent.CWR!tr
MSIL/VXS!tr
MSIL/CoinMiner.BMT!tr
PowerShell/Agent.GJ!tr
JS/SnakeKeylogger.A!tr.dldr
PowerShell/Agent.AMM!tr

Both the downloaded URL and attacker’s host have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.

Microsoft Office files can be disarmed by the FortiGuard Content Disarm & Reconstruction (CDR) service.

Since the majority of malware is delivered via phishing, organizations should also consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

IOCs

SHA256:

Office Document

9cb3a21f90dbb0dc5f3054a05571d8f2b5c2c06e0d24be4ec3a313cb7a061a60
63f13715d7c962f7eb36fe4cc7dbdbae1b599133ce2867bb346c11a61fac0990
2f17f9ef09e88e58f41e5d187ea39d22a2dc771f3adea622a6d25350a60309d9
34339322fd22bec66cb0272207e8f867af7d56e8d8441eadd23dcff6bcb77618

Script File

a44196d6b73d49ed6712df37fabd0e2b11d2bd91458c0351b6c7401e285b8a49
1844081002dc04a0e236503c233be07d7a0b6024c829fd0620f63075bb6a011a
ad19384eec4bc0c3f95c90a550f99a7744584e85e86473c371f88ebd503fb6a0
37d5b2c02f52ba1f909e9e2002f091fb068b4385b67a72ab488866cef7ea00f6
1d4f733b56c865f1221ac48eb794c715e1143287ff2f2e4094e5eea3caaec11b
da72d2feac3a24a332049b69df0cb7cab1a3734b5696effd3ebdf383f8f6ae32
539ff781c3b5065b98ca61927e13fd3bc7fe133f06b883a2fc13bc090bd4f4d3
2b85ed6d795c607344995e4e29bcf0fbef6f0600b783d495a20ca0098e471103
3a3e9467a2f88a29827895594907aeeeabede32e7966cdb3e8331fae6aa930da

Payload

a0931ce734fcc865c90fa7e9004bea8db551c32c699fdd389213c59cde3832cd
bdb94f7c3a13ea102258540f372d4ae07a4d4943f0ae9324f44fdfa8481bfaf2
dd72a7eebdd2d1cfabf430288d452fccfb90acc4d6956aa36194a35e9585b2c8

Loader

39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d

Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.