Thursday, 9 April 2020

XLM Hidden Macrosheets used for Evasion

Recently we have observed an increase in the usage of XLM based macro files which use Excel 4.0 macros and hidden macrosheets by attackers. I think threat actors will start leveraging this format even more in the near future. The advantage of using this format for attacks is that they don't use standard VBA macros. Most of the open source OLE VBA tools don't have the capability to extract the macros from them.

On April 9th 2020, I started observing a lot of XLS samples in the wild which used XLM Excel 4.0 hidden macrosheets for performing malicious activities.

This blog is a quick writeup to capture more information about this ongoing campaign.

All the files followed the naming convention: <Person's Name Resume>.xls

Examples:

Filename: James Johnson Resume.xls
MD5 hash: 18ddf82706bcc79d12d0033df6991271

Filename: William Smith Resume.xls
MD5 hash: 971dcb961e8a894ed395a007965c7408

Filename: Maria Hernandez Resume.xls
MD5 hash: f5cf86e2acd65772a078c73fbbb70429

Interestingly all these samples have a detection of 0 on VT at the time of writing this blog as shown below.


Now, let us look at the macro code.

For the purpose of analysis, we will check the XLS file with MD5 hash: f5cf86e2acd65772a078c73fbbb70429

The contents of the file look like shown below.


It uses Social engineering to ask the user to enable macros so that the content of the file can be viewed. Unlike regular macro based XLS files used in spam campaigns, this one does not have a VBA macro which can be extracted easily.

It uses hidden macrosheets which have to be unhidden manually as shown below.



The macro code itself can be accessed by opening these hidden macrosheets. This an Excel 4.0 macro and the code can be seen in different cells of the worksheet as shown below.


The macro upon execution will connect to the C2 server to download a DLL which will be loaded dynamically using rundll32 to continue the malicious activities.

The network connection and response are shown below:


From whois lookup, it can be seen that the callback domain: march262020.com was registered on March 26th 2020.

I'll add more details of the campaign as they are discovered in this blog.

Indicators of Compromise

URLs hosting the Zloader DLL:

march262020[.]com/files/april8.dll

MD5 hashes of the XLM files:

18ddf82706bcc79d12d0033df6991271
971dcb961e8a894ed395a007965c7408
f5cf86e2acd65772a078c73fbbb70429
6119caae6f7ca97b5ebff0d0a51fa3cc
1173d6eb89e9b3d8549a9c786065990c

c0d3inj3cT

No comments:

Post a comment