A phishing campaign has been observed targeting Windows users with three different fileless malware to steal sensitive information. The three malware are identified as BitRAT, PandoraHVNC, and AveMariaRAT.

The phishing campaign 

Researchers from Fortinet have discovered the phishing campaign and claimed that attackers are targeting victims to steal usernames, passwords, and other sensitive information, such as bank details.
  • The initial phishing message is created to impersonate a payment report sent from a genuine source that comes with a short request message to open an attached Excel document.
  • This file has malicious macros and when opened, Excel flags potential security concerns about the use of macros.
  • If the user ignores the message and opens the file, it delivers the malware.

Use of VBA and PowerShell

VBA scripts and PowerShell are used to retrieve the malware and install it on the victim's machine. Further, the PowerShell code is divided into three parts for the three different malware.
  • The VBA code is used for getting access to a remote HTML file (APRL27[.]htm) using the copied mshta[.]exe command. This file includes malicious JavaScript code that executes later.
  • The three malware are downloaded in a large PowerShell file to bypass detection, and later deployed and run inside the target processes using the Process Hollowing technique.


Using three different forms of malware suggests that attackers are focusing on stealing sensitive information. The stolen information may pave the way for future attacks for gaining access or other goals. Thus, it is suggested to deploy anti-phishing solutions and provide training to employees to identify phishing emails.
Cyware Publisher