New MidgeDropper Variant | FortiGuard Labs

Affected Platforms: Windows
Impacted Users: Windows users
Impact: Potential to deploy additional malware for additional purposes
Severity Level: Medium

One of the most exciting aspects of malware analysis is coming across a family that is new or rare to the reversing community. Determining the function of the malware, who created it, and the reasons behind it become a mystery to solve. The previously unseen dropper variant we recently found, named MidgeDropper, has a complex infection chain that includes code obfuscation and sideloading, making it an interesting use case. Although we couldn’t obtain the final payload, this blog will still explore what makes this dropper tick.

Initial Infection Vector

The initial infection vector was not available to FortiGuard Labs at the time of our investigation. However, we strongly suspect it to be a phishing e-mail because we have access to an RAR archive—!PENTING_LIST OF OFFICERS.rar—that would have been the likely attachment to an e-mail.

!PENTING_LIST OF OFFICERS.rar

Two files are in the !PENTING_LIST OF OFFICERS.rar archive: “Notice to Work-From-Home groups.pdf” and “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” (Figure 1).

Notice to Work-From-Home groups.pdf

The “Notice to Work-From-Home groups.pdf” file is exactly what it appears to be: a PDF file. It contains an image of an error message that falsely indicates that the PDF document failed to load. It is designed to act as a decoy and shift the recipient’s attention to clicking on and executing the “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file. Since file extensions are hidden by default in Windows, it is unlikely that anyone reviewing the contents would see the “.exe” and would instead assume they were opening another PDF file.

062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe

At 6.7MB, the ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” file is large by malware delivery standards. This executable primarily functions as a dropper for the following stages of infection.

The executable drops the files “Microsoft Office.doc,” “IC.exe,” “power.exe,” and “power.xml”. It also reaches out to “hXXp://185[.]225[.]68[.]37/jay/nl/seAgnt.exe” to pull down the file “seAgnt.exe.”

Microsoft Office.doc

This file is dropped and opened from “C:Users<user>AppDataLocalTempMicrosoftOffice.” It is also meant to be a decoy. It is populated in some versions of the dropper, but it was empty and benign in the version analyzed by FortiGuard Labs.

IC.exe

“IC.exe” is dropped by “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe” and deposited into “C:ProgramDataEmisoftMicrosoftStreamIC.exe.” It is responsible for obtaining the next stage of the infection.

“IC.exe” reaches out to a URL at “185[.]225[.]68[.]37” to download an additional file, “VCRUNTIME140_1.dll.”

As can probably be guessed by the filename, “VCRUNTIME140_1.dll” is meant to appear as a file related to the Microsoft Visual C++ Redistributable Package. 

power.exe and power.xml

“power.exe” is dropped along with “power.xml” by ”062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”.  “power.exe” only has one job: decoding and processing “power.xml.”

Figure 9 shows that “power.xml” in its native format is obfuscated and not readily readable.  This can be easily rectified by removing the garbage characters used for obfuscation.

With obfuscation removed, an XML document remains. Much of the information is irrelevant except for the final section under the “Actions” tag. The primary purpose of this pair of files is to launch “seAgnt.exe.”

seAgnt.exe

“seAgnt.exe” is a renamed copy of “GameBarFTServer.exe,” which is an application published by Microsoft, “Xbox Game Bar Full Trust COM Server.”  It is a background process for the Xbox Game Bar that runs on Windows.

Although itself benign, “seAgnt.exe” does depend on “VCRUNTIME140_1.dll”.  This dependency allows the malicious code inside of the DLL to execute.

VCRUNTIME140_1.dll

“VCRUNTIME140_1.dll” is a legitimate DLL that is part of the Microsoft Visual C++ runtime package. Unfortunately, the particular version used here is malicious.

Due to “VCRUNTIME140_1.dll” being a Dynamic Link Library, it doesn’t exist as a separate executable. It has to have assistance via another application to load its code into memory and execute it. “seAgnt.exe” is that application. This technique is called sideloading (https://attack.mitre.org/techniques/T1574/002/) because a dependency of a legitimate application is highjacked to allow the malicious code to load.

The file is heavily obfuscated and designed to make analysis much more difficult. For example, the figure below shows the massive number of function jumps that attempt to hide the purpose of the code.

The rest of the code makes it equally difficult to follow along in a disassembler.

The primary purpose of the code appears to be reaching out to “hXXp://185[.]225[.]68[.]37/jay/nl/35g3498734gkb.dat” to pull down the file “35g3498734gkb.dat”.

35g3498734gkb.dat

Oddly, “35g3498734gkb.dat” is identical to “VCRUNTIME140_1.dll” in terms of the file hash, so it’s unclear why the threat actor opted to pull it down again from the C2 node.

Unfortunately, further links on the infection chain were taken down when our analysis began, preventing further analysis of any potential final payloads.

Conclusion

Despite the final payload being unavailable before FortiGuard Labs could analyze it, this dropper made an interesting case study and provided a subject to watch out for.

Fortinet Protections

Fortinet customers are already protected from this malware through FortiGuard’s Web Filtering, AntiVirus, FortiMail, FortiClient, and FortiEDR services, as follows:

The following (AV) signature detects the malware samples mentioned in this blog

• MalwThreat!caa0FT
• W32/Agent.9CDF!tr

The WebFiltering client blocks all network-based URIs.

Fortinet has multiple solutions designed to help train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

We also suggest that organizations have their end users undergo our FREE NSE training: NSE 1 – Information Security Awareness. It includes a module on Internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks.

If you think this or any other cybersecurity threat has impacted your organization, contact our Global FortiGuard Incident Response Team.

IOCs

File-based IOCs:

Network-based IOCs: