The ASEC analysis team has found multiple distributions of malicious excel file that uses macro sheet (Excel 4.0 Macro) via phishing email. The use of macro sheet is a method commonly used by the distributor, and such method was also used in the distribution of malware such as SquirrelWaffle and Qakbot.
The malware that uses macro sheets was mentioned in the previous blogs as well. The distribution is not that different from previous methods, but considering that the files in similar forms are being massively distributed, users need to take extra caution.
Figure 1. Malicious excel macro file that is being frequently distributed in KoreaMost of the files have the filename of ‘Short-Length English Word-[0-9] {7,10}’ (e.g. biz-106093825.xls, recital-1105217019.xls, miss-1360738092.xls). The following are the files that the ASEC analysis team has found:
- biz-10682809.xls
- biz-108566842.xls
- recital-1105217019.xls
- miss-1601179456.xls
- proto-1643065415.xls
- miss-1360738092.xls
- record-1844987577.xls
- record-16733321.xls
Upon executing the excel file for the first time, the hidden sheets shown in the figure below are flashed to the users. These sheets have texts dispersed and hidden by using white-colored texts.
Figure 2. Hidden sheets
Figure 3. Macro code hidden using white color texts, and dispersedThe following is the analysis of macro code hidden and dispersed in the hidden sheet.
It is assumed that the purpose is to use regsvr32.exe for execution by using DownloadToFileA function to access external URLs in the sheet, and download additional malware by designating them as the filename of ‘C:\Datop\test.test’.
The file cannot be downloaded at the moment, thus an error occurs upon executing the macro; however, ‘test.test’ files that the team has obtained are assumed to be banking malware Qakbot.
Figure 4. Macro execution error due to unavailability of external URL connectionIf the connection to the external URL is possible and download of additional malware is possible, explorer.exe (Windows normal process) is executed and injected to shellcode to perform additional malicious behavior. The behavior of modifying the task scheduler for default execution persistence and POST connection for C2 is also confirmed in the Qakbot malware. See below for more information.
Figure 5. Execution behavior of explorer.exe found in the process tree
Figure 6. C2 found in memoryAdditionally, information collected about the infected system is sent to C2 via POST connection. General information including OS version, number of bits, username, computer name is also collected via the following system utility commands.
Figure 7. Process of information collection of infected system using AhnLab RAPITAs files with similar filenames are frequently being distributed, users must refrain from opening attachments with unknown sources when receiving an email with an attachment. It is also recommended to update the running anti-malware software to the latest version regularly.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
[File Detection]
Downloader/XLS.XLMacro
[Behavior Detection]
Malware/MDP.Behavior.M3638
[IOC]
91725a6d34b1ebde3554d22797ee8b2d
hxxps://slterp[.]com/q6tM5LqSc7CV/alp.html
hxxps://uptownsparksenergy[.]com/Vcvci5hRYpb/alp.html
hxxps://greenhillsacademy[.]org/d1XXblsaG/alp.html
hxxps://jjfinserv[.]com/sPgUbTca273t/super.gif
hxxps://live.sportsanews[.]com/9oQZ7XHINQ/super.gif
hxxps://e2eprocess[.]cl/d12AIIiIB4Q1/super.gif
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
The post Malicious Excel File Using Macro Sheets Being Distributed in Korea (2) appeared first on ASEC BLOG.
Article Link: Malicious Excel File Using Macro Sheets Being Distributed in Korea (2) - ASEC BLOG