We recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat. Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data. njRat (also known as Bladabindi) is a remote agent Trojan first discovered in 2013 that is capable of remotely controlling a victim’s device to log keystrokes, access the camera, steal credentials stored in browsers, upload/download files, manipulate the registry, and more.
Affected platforms: Microsoft Windows
Impacted parties: Windows users
Impact: Control and collect sensitive information from a victim’s device
Severity level: Critical
In this article we will provide details of the documents we discovered, their embedded scripts used to deliver a payload, and the behavior of these malware variants.
In September 2022 we collected two kinds of files. One is a PowerPoint Add-in and another is a Word document that contained a lure picture and an embedded Excel form. Both files included similar VBA scripts that execute a macro right after opening the document.
Based on the VBA script in the PPT add-in, shown in Figure 1, the code is automatically triggered because it uses the “Auto_Open()” function. Its “ControlTipText” and “Tag” fields contain the complete command “mshta” and the MediaFire URL. We can see the full URL in “vbaProject.bin”.
We can see from Process Explorer shown in Figure 3 that the “mshta” process started right after clicking “Enable Macros” in the document. This leads to the MediaFire website, which is a legitimate file and picture sharing platform.
Below is the content of “1.htm” from the first stage VBA macro:
Figure 5 shows a clearer picture after converting some hex to ascii string.
The PowerShell script in “1.txt”, downloaded from MediaFire, delivers its final payload via the process hollowing technique. It first kills all related processes and decodes the loader and payload. It then invokes the final payload and deploys it, bypassing AMSI. The main malware and part of the code are encoded and replaced with strings to increase the difficulty of analysis.
In the second part of the “Load Agent Tesla Payload” process, the variables $CLE11 and $RNBX1 are the final payload and the loader after replacing some strings. Based on different version of .NET, it customizes paths for proceeding with the process hollowing activity:
$Path = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'
$Path2 = 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe'
$Path3 = 'C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe
[Ref]/Assembly::Load((HexaToByte($RNBX1))).GetType('CALC'.PAYSIAS'.'GetMethod'(Execute).Invoke($null,[object] ($Path, HexaToByte($CLE11)));
We saved $RNBX1 as an executable file and opened it with dnSpy. The target class and method can be seen in Figure 10. This .Net loader leverages some obfuscation to hide the main APIs (CreateProcess, VirtualAllocEx…, etc.)
We located the targeted processes, “jsc.ex”, “caspol.exe” and “Msbuild.exe”, running quietly in the victim’s machine. The details are shown in Figure 11.
In the end of the PowerShell section, it disables logging and bypasses AMSI by patching it. Detail steps can be seen in Figure 12.
The first malware payload is Agent Tesla. This variant began spreading in the middle of September. It includes legitimate file information, "Web Browser Password Viewer" from the company “NirSoft”, and uses FTP to send out stolen data.
Figure 14 is a screenshot of the attacker’s FTP server information, including username and password, used for transferring extracted data. This variant also copies itself into the %appdata% directory with the filename “NGCwje.exe” for persistence.
It then starts to extract the victim device’s information, such as serial number of the base board, processor ID, and MAC address. It then generates an MD5 hash for this data.
Agent Tesla uses a typical application list to steal login credentials, cookies, mail information, and VPN data. A partial set of these items can be seen in the following figure:
Once the malware retrieves the credentials and other information from the victim’s machine, it sends this data via FTP protocol using hardcoded IP.
Based on the different types of files it encounters, it utilizes four kinds of opening strings: “CO” is for cookie data, “KL” is for keyboard logging, “PW” is for the victim’s password information, and “SC” is for screenshot files. The malware uses underlines to connect the type of data, username, device name, and timestamp together for the filename for the data ZIP file. The list of stolen zip files is shown as below:
The second payload is njRat, also known as Bladabindi. It is a .NET Trojan for controlling and spying on a victim’s device. This variant uses obfuscation for its string generation and code flow. From an IDA graph overview of method ko(), you can see that this variant is more complex, but you can still identify the similar functions.
First, it creates lnk and exe files in the “Startup” and “Templates” folder with the filename “Windows”. This name is used to trick users and analysts into thinking it is a legitimate Windows file.
It then gets its command and control server hostname and port number in reverse order.
To make sure this malware only runs on this victim once, it adds “HKEY_CURRENT_USER” with name “di” and data “!”.
It also creates a mutex with the string “Windows”, sets the environment variable “SEE_MASK_NOZONECHECKS” to 1, and checks if this mutex had been created before. If yes, it ends the process.
After it collects the machine’s information, it uses base64 to encode it and concatenates the data, as seen in Figure 29. It then transfers the data to server “mobnew6565[.]duckdns[.]org” using hardcoded TCP port 7575.
Following is the C2 traffic from the Win10 victim machine. The separator changes to “|-F-|” and version is “v4.0”, but the format for the packet is similar to the old njRat version:
Besides Agent Tesla and njRat, we also found a short script in the updated HTML file “www.webclientservices.co[.]uk/p/1[.]html” that downloads a miner to “C:\\ProgramData”. This is odd behavior since each step in this attack chain is trying to not leave any physical trace or file on the victim’s machine. We think this might be a distraction for victims so as to not notice that another process is loading njRat.
Users should always be wary of any office document or unknown file containing links to external websites.
The VBA macro and all related malware are detected and blocked by FortiGuard Antivirus:
Both the downloaded URL and attacker’s host have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.
Microsoft Office files can be disarmed by the FortiGuard Content Disarm & Reconstruction (CDR) service.
Since the majority of malware is delivered via phishing, organizations should also consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio. Sign up to receive our threat research blogs.