[ad_1]
Written by: Lakshya Mathur
Excel-based malware has been round for many years and has been in the limelight lately. Through the second half of 2020, we noticed adversaries utilizing Excel 4.0 macros, an previous expertise, to ship payloads to their victims. They have been primarily utilizing workbook streams through the XLSX file format. In these streams, adversaries have been capable of enter code straight into cells (that’s why they have been referred to as macro-formulas). Excel 4.0 additionally used API stage features like downloading a file, creation of information, invocation of different processes like PowerShell, cmd, and many others.
With the evolution of expertise, AV distributors began to detect these malicious Excel paperwork successfully and so to have extra obfuscation and evasion routines attackers started to shift to the XLSM file format. Within the first half of 2021, we now have seen a surge of XLSM malware delivering completely different household payloads (as proven in under an infection chart). In XLSM adversaries make use of Macrosheets to enter their malicious code straight into the cell formulation. XLSM construction is the identical as XLSX, however XLSM information help VBA macros which are extra superior expertise of Excel 4.0 macros. Utilizing these macrosheets, attackers have been capable of entry highly effective home windows functionalities and since this system is new and extremely obfuscated it can evade many AV detections.
Excel 4.0 and XLSM are each recognized to obtain different malware payloads like ZLoader, Trickbot, Qakbot, Ursnif, IcedID, and many others.
The above determine reveals the Variety of samples weekly detected by the detected identify “Downloader-FCEI” which particularly targets XLSM macrosheet primarily based malware.
Detailed Technical Evaluation
XLSM Construction
XLSM information are spreadsheet information that help macros. A macro is a set of directions that performs a document of steps repeatedly. XLSM information are primarily based upon Open XLM codecs that have been launched in Microsoft Workplace 2007. These file varieties are like XLSX however as well as, they help macros.
Speaking concerning the XLSM construction after we unzip the file, we see 4 fundamental contents of the file, these are proven under.
- _rels comprises the beginning package-level relationship.
- docProps comprises the metadata of the excel file.
- xl folder comprises the precise contents of the file.
- [Content_Types].xml has references to the XML information current inside the above folders.
We’ll focus extra on the “xl” folder contents. This folder comprises all of the excel file foremost contents like all of the worksheets, media information, kinds.xml file, sharedStrings.xml file, workbook.xml file, and many others. All these information and folders have information associated to completely different facets of the excel file. However for XLSM information we’ll deal with one distinctive folder referred to as macrosheets.
These XLSM information include macrosheets as proven in figure-2 that are nothing however XML sheet information that can help macros. These sheets aren’t obtainable in different Excel file codecs. In the previous few months, we now have seen an enormous surge in XLSM file-type malware during which attackers retailer malicious strings hidden inside these macrosheets. We’ll see extra particulars about such malware on this weblog.
To elucidate additional how attackers uses XLSM information we now have taken a Qakbot pattern with SHA 91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e.
An infection Chain
The an infection chain for each Excel 4.0 Qakbot and XLSM Qakbot is analogous. They each downloads dll and execute it utilizing rundll32.exe with DllResgisterServer because the export operate.
XLSM Risk Evaluation
On opening the XLSM file there may be a picture that prompts the consumer to allow the content material. To look reputable and clear malicious actors use a really official-looking template as proven under.
On digging deeper, we see its inner workbook.xml file.
Now as we are able to see within the workbook.xml file (Determine-5), there is a complete of 6 sheets and their state is hidden. Additionally, two cells have a predefined identify and one in all them is Sheet2323!$A$1 outlined as “_xlnm.Auto_Open” which is just like Sub Auto_Open() as we typically see in macro information. It mechanically runs the macros when the consumer clicks on Allow Content material.
As we noticed in Determine-3 on opening the file, we solely see the allow content material picture. Because the state of sheets was hidden, we are able to right-click on the principle sheet tab and we’ll see unhide possibility there, then we are able to choose every sheet to unhide it. On hiding the sheet and alter the font coloration to purple we noticed some random strings as seen in determine 6.
These hidden sheets include malicious strings in an obfuscated method. So, on analyzing extra we noticed that sheets inside the macrosheets folder include these malicious strings.
Now as we are able to in figure-7 completely different tags are used on this XML sheet file. All of the malicious strings are current in two tags <f> and <v> tags inside <sheetdata> tags. Now let’s look extra intimately about these tags.
<v> (Cell Worth) tags are used to retailer values contained in the cell. <f> (Cell System) tags are used to retailer formulation contained in the cell. Now within the above sheet <v> tags include the cached formulation worth primarily based on the final time formulation was calculated. System cells include formulation like “GOTO(Sheet2!H13)”, now as we are able to see right here attackers can retailer completely different formulation whereas referencing cells from completely different sheets. These operations are executed to supply increasingly more obfuscated sheets and evade AV signatures.
When the consumer clicks on the allow content material button the execution begins from the Auto_Open cell, after which every sheet formulation will begin to execute one after the other. The ultimate deobfuscated string is proven under.
Right here the URLDownloadToFIleA API is used to obtain the payload and the string “JJCCBB” is used to specify information varieties to name the API. There are a number of URI’s and from one in all them, the DLL payload will get downloaded and saved as ..lertio.cersw. This DLL payload is then executed utilizing rundll32. All these malicious actions get carried out utilizing varied excel primarily based formulation like REGISTER, EXEC, and many others.
Protection and prevention steering:
McAfee’s Endpoint merchandise detect this variant of malware as under:
The primary malicious doc with SHA256 (91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e) is detected as “Downloader-FCEI” with present DAT information.
Moreover, with the assistance of McAfee’s Skilled rule characteristic, clients can add a customized conduct rule, particular to this an infection sample.
Rule {
Course of {
Embrace OBJECT_NAME { -v “EXCEL.exe” }
}
Goal {
Match PROCESS {
Embrace OBJECT_NAME { -v “rundll32.exe” }
Embrace PROCESS_CMD_LINE { -v “* ..*.*,DllRegisterServer” }
Embrace -access “CREATE”
}
}
}
McAfee advises all customers to keep away from opening any e-mail attachments or clicking any hyperlinks current within the mail with out verifying the identification of the sender. All the time disable the Macro execution for Workplace information. We advise everybody to learn our weblog on these kind of malicious XLSM information and their obfuscation strategies to grasp extra concerning the menace.
Totally different strategies & ways are utilized by the malware to propagate, and we mapped these with the MITRE ATT&CK platform.
- T1064(Scripting): Use of Excel 4.0 macros and completely different excel formulation to obtain the malicious payload.
- Protection Evasion (T1218.011): Execution of Signed binary to abuse Rundll32.exe and proxy executes the malicious code is noticed on this Qakbot variant.
- Protection Evasion (T1562.001): Workplace file tries to persuade a sufferer to disable safety features by utilizing a clean-looking picture.
- Command and Management(T1071): Use of Software Layer Protocol HTTP to connect with the internet after which downloads the malicious payload.
Conclusion
XLSM malware has been seen delivering many malware households. Many main households like Trickbot, Gozi, IcedID, Qakbot are utilizing these XLSM macrosheets in excessive amount to ship their payloads. These assaults are nonetheless evolving and carry on utilizing varied obfuscated strings to use varied home windows utilities like rundll32, regsvr32, PowerShell, and many others.
Resulting from safety issues, macros are disabled by default in Microsoft Workplace functions. We propose it’s solely secure to allow them when the doc acquired is from a trusted supply and macros serve an anticipated goal.
[ad_2]
