Fileless Malware Detection: AveMariaRAT / BitRAT / PandoraHVNC Attacks

Cybercrooks are targeting Microsoft Windows users with three fileless malware strains used at once in a new phishing campaign. The phishing mail mimics a payment report from a trusted source, with a brief request to view an attached Microsoft Excel document. The file contains weaponized macros and, once launched, drops the malware aimed to steal the victim’s sensitive data. Adversaries distribute the following malware forms: BitRAT, PandoraHVNC, and AveMariaRAT.

Detect Fileless Malware

Our renowned Threat Bounty developer Emir Erdogan released a Sigma rule to help you identify whether you were hit by one of the three fileless malware samples dropped by a phishing email via process_creation:

AveMariaRAT / BitRAT and PandoraHVNC detection via process_creation

The detection is available for the 23 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10, addressing the Execution tactic with Command and Scripting Interpreter (T1059) and Scheduled Task/Job (T1053) as the primary techniques.

Join the Threat Bounty Program to get full access to the only Threat Detection Marketplace where researchers monetize their content. Enhance your security arsenal with cross-vendor and cross-tool detection content items tailored to 25+ market-leading SIEM, EDR, and XDR technologies: hit the View Detections button to get instant access to the SOC Prime’s rich library of detection algorithms.

View Detections Join Threat Bounty

Fileless Malware Description

Researchers from Fortinet shared the results of their investigation of a series of phishing attacks affecting Microsoft Windows users. In this phishing campaign, threat actors sent out a fraudulent payment report, disguising as a trustworthy source, phishing with a malicious Microsoft Excel document. The goal is to lure email recipients into downloading the macro-laced file. Once the victim-to-be opens it, Office displays a security warning, recommending disabling macros. If the user ignores the recommendation and enables macros instead, it opens a way for malware penetration.

The malware is retrieved and installed on the victim’s PC using VBA scripts and PowerShell. This code has three code segments – the three types of malware. The targets who fall foul of an attack receive three fileless malware strains, which are AveMariaRAT, BitRAT, and PandoraHVNC. The malware is to be used to steal confidential information and perform other malicious tasks.

Currently, the use of malicious macros is on the rise. With proactive cyber defense solutions provided by SOC Prime, security teams increase the chances of efficient detection and timely mitigation of breaches. Combat cyber threats that evade your security solutions with 185,000+ detection rules, parsers, search queries, and other content items enriched with CTI, MITRE ATT&CK references, CVE descriptions, and more relevant contextual information, all available in the Threat Detection Marketplace repository of the SOC Prime’s platform.

Aspiring and professional SOC specialists are also welcome to access Cyber Library to master their SIEM hard skills, watch deep-dive educational videos, and catch up with how-to guides on Threat Hunting.