Caution! Malicious Excel Macros Being Distributed Indiscriminately Through Emails!
The ASEC analysis team discovered that excel files containing the same type of malicious macros are being distributed indiscriminately through emails.
Such excel files contain macros that additionally download malware. Recently, it was found that reply mails targeting random people were added with threatening text and malicious excel macro files.
Figure 1. Spam mail that is being distributed randomly (1)
Figure 2. Spam mail that is being distributed randomly (2)
Figure 3. Spam mail that is being distributed randomly (3)
One feature that the three collected emails share is that they all disguise themselves as reply mails and distribute malicious macro excel files. In the example of Figure 3, the e-mail disguised as a reply to the invitation mail for ‘KINGCA week 2021’ is prompting the viewer to check the mail.
Upon downloading the attached file and opening it, a user can see an excel file that has the same filename as that of the compressed file.
Figure 4. Excel macro file inside compressed file
Figure 5. Text urging users to view hidden sheets and enable macros
The method of using the Excel 4.0 macro (formula macro) that was introduced previously continues to be found frequently even to this day. Generally, malicious excel files using formula macros have three characteristics, which are as follows.
1) Hidden sheets
2) Macros hidden within sheet with white-colored texts
3) Downloads and runs additional malware from external URLs
Figure 6. Hidden and scattered formula macros
Figure 7. XML file (sharedStrings.xml) found inside excel file
The file introduced in this post has all three characteristics, which are made clear upon checking the internal XML file. When the macro is run, it uses the URLDownloadToFileA function to download additional executable files from the URL with the hxxp://[malicious IP]/[designated numbers].dat format. The downloaded files are loaded as DllRegisterSever parameter in rundll32.exe and run.
As the team could not access the URL, the identity of the additionally downloaded malware remains a mystery. However, judging from previous cases, it is likely that the macro would download executable files such as ransomware, BokBot, and QakBot.
Users should not open mails with unknown sources, and also update the anti-malware product to the latest version.
AhnLab’s anti-malware product, V3, detects and blocks the files above using the aliases below.
[File Detection]
Downloader/XLS.XlmMacro
Downloader/XLS.Generic
