Fortinet’s FortiGuard Labs captured a phishing campaign that delivers three fileless malware onto a victim’s device. Once executed, they are able to control and steal sensitive information from that device to perform other actions according to the control commands from their server.
In Part I of this analysis, I introduced how these three fileless malware are delivered to the victim’s device via a phishing campaign, and what mechanism it uses to load, deploy, and execute these fileless malware in the target process.
In Part II, I will focus on the three malware payloads and elaborate on how they steal sensitive information from the victim’s device, how they submit data to their C2 server, details about the control commands, as well as what they can perform with those control commands.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Controls victim’s device and collects sensitive information
Severity level: Critical
Fileless Malware 1 – AveMariaRAT
“Ave Maria” is a RAT (Remote Access Trojan), also known as WARZONE RAT. It offers a wide range of features, such as stealing victim’s sensitive information and remote controlling an infected device, including privilege escalation, remote desktop control, camera capturing, and more.
It is the first of the three malware (refer to Figure 3.3 of the previous analysis) to be injected into a newly-created “aspnet_compiler.exe” process on the victim’s device and then run.
Ave Maria has a configuration block that is RC4 encrypted within its PE structure’s “.bss” section. The decryption key and encrypted data are