Excel Malspam: Protected Password … Not!
Early March of this 12 months, we blogged about a number of malspam campaigns using Excel 4.zero Macros in .xls 97-2003 binary format. On this weblog, we’ll current yet another Excel 4.zero Macro spam marketing campaign in the identical format crafted with one other outdated MS Excel function to evade detection.
Totally different themes have been used on this marketing campaign – starting from generic themes like faux invoices to the most popular theme these days, Coronavirus. The topics of the spam are composed of a phrase associated to the theme and a sequence of numbers.
Determine 1: Among the malspams
The spam on this marketing campaign have a one-liner e mail physique and one attachment, and so they each comprise the sequence of numbers discovered within the Topic. The textual content within the e mail physique simply directs the recipient’s consideration to the attachment which is an Excel file. The filename of the connected Excel file contains the native a part of the recipient’s e mail handle.
Determine 2: Safety Electronic mail Gateway (SEG) displaying the primary spam proven in Determine 1
The “Password Protected“ Attachment
The XLS attachments from the spams proven in Determine 1 have been encrypted by way of password safety. A password has been utilized to the Excel recordsdata, which used the Microsoft Enhanced Cryptographic Supplier v1.zero algorithm to encrypt the attachments. Password-protected paperwork can solely be opened with the proper password as that is the important thing wanted within the decryption course of.
Determine 3: The device Hiew reveals that the attachment proven in Determine 2 is encrypted with algorithm Microsoft Enhanced Cryptographic Supplier v1.zero and accommodates Excel 4.zero Macro sheets
In MS Excel with macros disabled, we tried opening the attachments obtained from Determine 1. Nonetheless, the Excel software didn’t show the password immediate as anticipated. Since their file buildings point out the XLS recordsdata are password protected, we used Didier Stevens’ msoffcrypto-crack device to acquire their passwords. All of the XLS attachments have the password “VelvetSweatshop”.
Determine 4: The XLS recordsdata connected from the emails in Determine 1 have the identical password
Excel first makes an attempt to open a password protected Excel file utilizing its default password “VelvetSweatshop” in read-only mode. If this default password fails to open the encrypted Excel file, then the appliance will launch the password immediate and ask the consumer for the password. This read-only approach has been identified about for over 10 years and is now being leveraged by spammers lately.
Because the XLS recordsdata have been encrypted utilizing the default password, they ran in Excel as in the event that they weren’t password protected. Within the background, Excel already opened them utilizing the default password. Therefore, no password enter was required from the consumer nor was a warning from the appliance prompted. The content material of the XLS recordsdata was instantly displayed.
Determine 5: The attachment jack_697121_.xls accommodates a worksheet and the autorun factors to a cell from one of many hidden Excel 4.zero macro sheets
All of the Excel recordsdata on this marketing campaign had macro downloaders. They comprise a worksheet which acts as a lure for the sufferer to allow the macro setting, and a number of hidden Excel 4.zero macro sheets. Though the variety of hidden macro sheets varies between the samples, the traits of their filenames are constant. Two of the macro sheets have randomized filenames and the remaining begin with “Macro” then adopted by a quantity.
The malicious habits of the XLS recordsdata arises from one of many hidden macro sheets with a randomized title – that is all the time the one referenced by the autorun as proven in determine 5. The macro will obtain a binary from a compromised web site, reserve it on disk underneath C drive, and execute them.
Every set of spams proven in Determine 1 results in a compromised web site that hosts malware Gozi, a banking trojan. The primary obtain URL is already inaccessible on the time of investigation nonetheless the positioning was identified to host the mentioned malware.
Determine 6: The obtain URL of the from the primary wave spams
As for the second URL, we have been capable of obtain a GOZI malware Sha1: c42006626c38640404ca4e0b0402bf7ffa0d53b0. Its C&C is dropshipbear[.]xyz.
Determine 7: A pattern from the 2nd wave of spams downloads a Gozi malware
Normally, the main element to the success of delivering malware through a password protected attachment is the e-mail recipient’s instinct. The consumer have to be enticed sufficient to open the attachment utilizing the password supplied within the e mail. However with the marketing campaign introduced right here, the spammers discovered a method to remove this step. Utilizing Excel’s personal function, the spammers have been capable of bypass the consumer enter for the password protected Excel recordsdata.
We’re observing an growing variety of malspam leveraging these password protected Excel 4.zero macro possible as a result of the malware authors discovered it efficient in evading e mail gateway and different scanners. One of many Excel recordsdata we now have seen from the marketing campaign above has a VT rating of two/59 as of this writing. The Trustwave Safe Electronic mail Gateway is presently blocking this risk.
Observe: Malware crafted utilizing the 2 outdated Excel options proven on this weblog are nonetheless macros and are nonetheless ineffective if Belief Heart settings are set to not less than medium safety which can forestall macros from mechanically working.
jack_697121_.xls SHA1: ec7ebd1e4acfb2aae63f79e85084937c18f17f0b
vish_362106_.xls SHA1: 9296d886c0d2f1254df234507301409990fa34a9
dmitry.nosickow_283615_.xls SHA1: 29cd551c40014f93792c47dc4766abc85857bd92
jason_961079_.xls SHA1: ee819a9d0a467deaf1c2855ed441advert52029118fc
jbishop_737231_.xls SHA1: 358e5086c38aa2e67add6a14bfc89cffec06af37
lindsay.polkinghorne_577859_.xls SHA1: 6d1d801d856cd363f2e6b058c141c31e7f9d1628
dmitry.nosickow_831493_.xls SHA1: 4192ace9a8d9c5b905db4cdc18a1628633cf18f5
dmitry.nosickow_612949_.xls SHA1: 7029603deebdd8c4a15a3bd2cc23a719dadc194b
dmitry.nosickow_487325_.xls SHA1: bab3fc09504f73f177cb9005be1b732e9118dde3
katie_366948_.xls SHA1: 5f4c8cc1ee2953d52894d1f2e44f0e2d406f9249
teresa-646071021.xls SHA1: 5ADB73196A8511561A0ACD130C80F02A8698F059
excel 4.0 macro malware,velvetsweatshop excel