[ad_1]
Written by: Lakshya Mathur
Excel-based malware has been round for many years and has been in the limelight lately. Through the second half of 2020, we noticed adversaries utilizing Excel 4.0 macros, an previous know-how, to ship payloads to their victims. They have been primarily utilizing workbook streams by way of the XLSX file format. In these streams, adversaries have been capable of enter code straight into cells (that’s why they have been known as macro-formulas). Excel 4.0 additionally used API stage capabilities like downloading a file, creation of information, invocation of different processes like PowerShell, cmd, and so forth.
With the evolution of know-how, AV distributors began to detect these malicious Excel paperwork successfully and so to have extra obfuscation and evasion routines attackers started to shift to the XLSM file format. Within the first half of 2021, we’ve seen a surge of XLSM malware delivering completely different household payloads (as proven in beneath an infection chart). In XLSM adversaries make use of Macrosheets to enter their malicious code immediately into the cell formulation. XLSM construction is the similar as XLSX, however XLSM information help VBA macros which are extra superior know-how of Excel 4.0 macros. Utilizing these macrosheets, attackers have been capable of entry highly effective home windows functionalities and since this system is new and extremely obfuscated it can evade many AV detections.
Excel 4.0 and XLSM are each identified to obtain different malware payloads like ZLoader, Trickbot, Qakbot, Ursnif, IcedID, and so forth.
Area hits for XLSM macrosheet malware detection
The above determine reveals the Variety of samples weekly detected by the detected identify “Downloader-FCEI” which particularly targets XLSM macrosheet primarily based malware.
Detailed Technical Evaluation
XLSM Construction
XLSM information are spreadsheet information that help macros. A macro is a set of directions that performs a document of steps repeatedly. XLSM information are primarily based upon Open XLM codecs that have been launched in Microsoft Workplace 2007. These file sorts are like XLSX however as well as, they help macros.
Speaking in regards to the XLSM construction once we unzip the file, we see 4 primary contents of the file, these are proven beneath.
Determine-1: Content material inside XLSM file
_rels comprises the beginning package-level relationship.
docProps comprises the metadata of the excel file.
xl folder comprises the precise contents of the file.
[Content_Types].xml has references to the XML information current throughout the above folders.
We are going to focus extra on the “xl” folder contents. This folder comprises all of the excel file foremost contents like all of the worksheets, media information, kinds.xml file, sharedStrings.xml file, workbook.xml file, and so forth. All these information and folders have knowledge associated to completely different features of the excel file. However for XLSM information we are going to give attention to one distinctive folder known as macrosheets.
These XLSM information comprise macrosheets as proven in figure-2 that are nothing however XML sheet information that can help macros. These sheets should not out there in different Excel file codecs. In the previous few months, we’ve seen an enormous surge in XLSM file-type malware during which attackers retailer malicious strings hidden inside these macrosheets. We are going to see extra particulars about such malware on this weblog.
Determine-2: Macrosheets folder inside xl folder
To elucidate additional how attackers makes use of XLSM information we’ve taken a Qakbot pattern with SHA 91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e.
An infection Chain
Determine-3: An infection chain for Qakbot Malware
The an infection chain for each Excel 4.0 Qakbot and XLSM Qakbot is comparable. They each downloads dll and execute it utilizing rundll32.exe with DllResgisterServer because the export perform.
XLSM Risk Evaluation
On opening the XLSM file there may be a picture that prompts the person to allow the content material. To look reputable and clear malicious actors use a really official-looking template as proven beneath.
Determine-4 Picture of Xlsm file face
On digging deeper, we see its inside workbook.xml file.
Determine-5: workbook.xml content material
Now as we are able to see within the workbook.xml file (Determine-5), there is a complete of 6 sheets and their state is hidden. Additionally, two cells have a predefined identify and one in all them is Sheet2323!$A$1 outlined as “_xlnm.Auto_Open” which is just like Sub Auto_Open() as we usually see in macro information. It mechanically runs the macros when the person clicks on Allow Content material.
As we noticed in Determine-3 on opening the file, we solely see the allow content material picture. For the reason that state of sheets was hidden, we are able to right-click on the primary sheet tab and we are going to see unhide choice there, then we are able to choose every sheet to unhide it. On hiding the sheet and alter the font shade to purple we noticed some random strings as seen in determine 6.
Determine-6: Sheet face of xlsm file
These hidden sheets comprise malicious strings in an obfuscated method. So, on analyzing extra we noticed that sheets inside the macrosheets folder comprise these malicious strings.
Determine-7: Content material of macrosheet XML file
Now as we are able to in figure-7 completely different tags are used on this XML sheet file. All of the malicious strings are current in two tags <f> and <v> tags inside <sheetdata> tags. Now let’s look extra intimately about these tags.
<v> (Cell Worth) tags are used to retailer values contained in the cell. <f> (Cell Formulation) tags are used to retailer formulation contained in the cell. Now within the above sheet <v> tags comprise the cached formulation worth primarily based on the final time formulation was calculated. Formulation cells comprise formulation like “GOTO(Sheet2!H13)”, now as we are able to see right here attackers can retailer completely different formulation whereas referencing cells from completely different sheets. These operations are carried out to provide increasingly more obfuscated sheets and evade AV signatures.
When the person clicks on the allow content material button the execution begins from the Auto_Open cell, after which every sheet formulation will begin to execute one after the other. The ultimate deobfuscated string is proven beneath.
Determine-8: Ultimate De-Obfuscated strings from the file
Right here the URLDownloadToFIleA API is used to obtain the payload and the string “JJCCBB” is used to specify knowledge sorts to name the API. There are a number of URI’s and from one in all them, the DLL payload will get downloaded and saved as ..lertio.cersw. This DLL payload is then executed utilizing rundll32. All these malicious actions get carried out utilizing varied excel primarily based formulation like REGISTER, EXEC, and so forth.
Protection and prevention steerage:
McAfee’s Endpoint merchandise detect this variant of malware as beneath:
The principle malicious doc with SHA256 (91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e) is detected as “Downloader-FCEI” with present DAT information.
Moreover, with the assistance of McAfee’s Skilled rule characteristic, clients can add a customized conduct rule, particular to this an infection sample.
Rule {
Course of {
Embody OBJECT_NAME { -v “EXCEL.exe” }
}
Goal {
Match PROCESS {
Embody OBJECT_NAME { -v “rundll32.exe” }
Embody PROCESS_CMD_LINE { -v “* ..*.*,DllRegisterServer” }
Embody -access “CREATE”
}
}
}
McAfee advises all customers to keep away from opening any e-mail attachments or clicking any hyperlinks current within the mail with out verifying the id of the sender. All the time disable the Macro execution for Workplace information. We advise everybody to learn our weblog on some of these malicious XLSM information and their obfuscation methods to grasp extra in regards to the menace.
Completely different methods & techniques are utilized by the malware to propagate, and we mapped these with the MITRE ATT&CK platform.
T1064(Scripting): Use of Excel 4.0 macros and completely different excel formulation to obtain the malicious payload.
Protection Evasion (T1218.011): Execution of Signed binary to abuse Rundll32.exe and proxy executes the malicious code is noticed on this Qakbot variant.
Protection Evasion (T1562.001): Workplace file tries to persuade a sufferer to disable safety features by utilizing a clean-looking picture.
Command and Management(T1071): Use of Utility Layer Protocol HTTP to hook up with the internet after which downloads the malicious payload.
Conclusion
XLSM malware has been seen delivering many malware households. Many main households like Trickbot, Gozi, IcedID, Qakbot are utilizing these XLSM macrosheets in excessive amount to ship their payloads. These assaults are nonetheless evolving and carry on utilizing varied obfuscated strings to take advantage of varied home windows utilities like rundll32, regsvr32, PowerShell, and so forth.
Attributable to safety considerations, macros are disabled by default in Microsoft Workplace purposes. We advise it’s solely protected to allow them when the doc acquired is from a trusted supply and macros serve an anticipated goal.
x3Cimg peak=”1″ width=”1″ type=”show:none” src=”https://www.fb.com/tr?id=766537420057144&ev=PageView&noscript=1″ />x3C/noscript>’);
[ad_2]