Search
Close this search box.

Excel4 Macro Malware Delivers Gozi/Ursnif via a VelvetSweatshop Revival

We have been seeing a surge in Excel malware using Excel4 Macros (XLM) in hidden worksheets. Recently, malicious actors started reviving an age-old technique to further hide the malicious XLM code by leveraging the VelvetSweatshop secret password in Excel workbooks.

What is Macro Malware? 

Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. 

Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.

An Analysis of Excel4 Macro Malware

The email attachments are encrypted Excel workbooks, which contain Excel4 (XLM) Formula macros found in hidden sheets. Many years ago, a default secret password used in Excel worksheets was exploited by malicious actors to deliver malware, and today this same secret password is being taken advantage of to thwart scan engines from easily detecting malicious Excel workbooks using Excel4 macros.

This can be checked by using msoffcrypto-tool to see if an Office document is encrypted and try to decrypt using the default secret password “VelvetSweatshop”.

Figure 1.0 Checking XLS sample with msoffcrypto-tool

Opening the decrypted Excel workbook, you may be able to unhide the hidden worksheets by right-clicking on the sheet tab and selecting “Unhide”. You may opt to unhide all the hidden sheets by simply selecting the sheet name from the dialog box and clicking on OK.

Figure 2.0 Unhiding hidden sheets in Excel

Once you have unhidden the hidden sheets, click on the label drop-down to check for any presence of auto-executable Excel4 Macros. In this case, the Excel4 Macro automatically run when the workbook is opened by using the built-in name “Auto_Open”.

Figure 3.0 Auto-executable cell

Looking at the code in Excel is quite intimidating and following it manually will also be time consuming. So to quickly analyze the Excel4 macro code, we run our modified version of olevba to dump the Excel4 macro code to file and run our own XLM parser to see what the code does.

Figure 4.0 Running modified olevba tool on sample

Figure 4.1 Running xlm_parse on extracted XLM code from olevba

With this we can now see that the code simply attempts to download a file from hxxps://www[.]remsoft[.]it/conrol/pack.php, save it to C:ProgramDatavKrJuyZ.exe and execute it via ShellExecute.

Final Payload: A Gozi Malware Variant

The final payload is a variant of the Gozi malware family, which monitors network traffic and may attempt to steal login credentials from browsers or mail applications.

This variant also makes use of WMI Query Language to gather data about the system it is running on, which is then added to the info it sends out to its server.

Figure 5.0 Gozi WMI Query

Figure 5.1 Collected system information

Figure 5.2 Gozi ISFB RM3 Config

Indicators of Compromise

Email Subject: Important information about CoVid-19 – 1208302495 / 1208302495

Email SHA256: 782FE75B25105E479F05A248BA03F6B2B7BCBE3EF42588B88FC7335FDE2AFA9A

Attachment: dmitry.nosickow-1208302495-.xls

Attachment SHA256: 3a9bf49d9fd37eafc03241183b906b7c326e6bb996a747c788d2593f431a322b

Attachment Detection: XLS/EncBook.B.gen!Camelot

Payload URL: hxxps://ambrella[.]it/licenza/bhostwindpackage.php

Payload SHA256: 1cffc61225af1735b653923723d82a40b68668450a7fbf843fcd9c057aca3aec

Payload Executable Path: C:ProgramDatanCjBmqQ.exe

Payload Detection: W32/Agent.BRU.gen!Eldorado

Email Subject: statement – ! 655079-655079

Email SHA256: 1edf92cca219c97029ae997f91ef8febdc2df807f887df68942af1517459429d

Attachment: mcerullo655079.xls

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Attachment Detection: XLS/EncBook.A.gen!Camelot

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Payload URL: hxxps://istitutobpascalweb[.]it/mynotescom/renoovohostinglilnuxadvanced.php

Payload SHA256: df11bd82dc0f4b9f5b3e15ad6e1bc575db769066f7797eb7872859c9013a74db

Payload Executable Path: C:RPJbYuRpvrDGVqrCLGjyS.exe

Payload Detection: W32/Agent.BRK.gen!Eldorado

Email Subject: [WARNING : MESSAGE ENCRYPTED]Co-Vid Important information- 462588175 / 462588175

Email SHA256: 1AE77BED5F3E42A7C2E087A68C19EBBDCEB46339564B937F6E40AA9BF39E641D

Attachment: keiran-462588175.xls

Attachment Detection: XLS/EncBook.B.gen!Camelot

Attachment SHA256: e35f99ba6352f36294435ae2216de027ba83fbcd678d8c4d6fb17fff8ffd205d

Payload URL: hxxps://www[.]remsoft[.]it/conrol/pack.php

Payload SHA256: 0f28ce7cab6badbfca27ce8907ef0c34b9d15a4e5c7034318097db815a534715

Payload Executable Path: C:ProgramDatavKrJuyZ.exe

Payload Detection: W32/Kryptik.ARD

How to Protect Against Excel Malware

There are a few different ways you can protect your business from Excel malware attacks:

  • Ensure macros are disabled within any Microsoft Office applications. 
  • Do not open any suspicious emails or attachments.
  • Delete emails from unknown people or those that may contain suspicious Office 365 links or content. Spam or phishing emails are the usual way macro malware spreads.
  • Run executable content by using ASR rules.

Final Thoughts

Ready to learn more about how you can protect your business from O365 Excel malware attacks? Request a demo with the Cyren team today.

References

[/et_pb_text][/et_pb_column][/et_pb_row][et_pb_row _builder_version=”3.25″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”][et_pb_column type=”4_4″ _builder_version=”3.25″ custom_padding=”|||” pac_dcm_carousel_specific_module_num=”0″ global_colors_info=”{}” custom_padding__hover=”|||”][et_pb_text _builder_version=”3.27.4″ background_size=”initial” background_position=”top_left” background_repeat=”repeat” global_colors_info=”{}”]

We have been seeing a surge in Excel malware using Excel4 Macros (XLM) in hidden worksheets. Recently, malicious actors started reviving an age-old technique to further hide the malicious XLM code by leveraging the VelvetSweatshop secret password in Excel workbooks.

What is Macro Malware?

Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. 

Macro malware hides in Microsoft Office files and is delivered as email attachments or inside ZIP files. These files use names that are intended to entice or scare people into opening them. They often look like invoices, receipts, legal documents, and more.

An Analysis of Excel4 Macro Malware

The email attachments are encrypted Excel workbooks, which contain Excel4 (XLM) Formula macros found in hidden sheets. Many years ago, a default secret password used in Excel worksheets was exploited by malicious actors to deliver malware, and today this same secret password is being taken advantage of to thwart scan engines from easily detecting malicious Excel workbooks using Excel4 macros.

This can be checked by using msoffcrypto-tool to see if an Office document is encrypted and try to decrypt using the default secret password “VelvetSweatshop”.

Figure 1.0 Checking XLS sample with msoffcrypto-tool

Opening the decrypted Excel workbook, you may be able to unhide the hidden worksheets by right-clicking on the sheet tab and selecting “Unhide”. You may opt to unhide all the hidden sheets by simply selecting the sheet name from the dialog box and clicking on OK.

Figure 2.0 Unhiding hidden sheets in Excel

Once you have unhidden the hidden sheets, click on the label drop-down to check for any presence of auto-executable Excel4 Macros. In this case, the Excel4 Macro automatically run when the workbook is opened by using the built-in name “Auto_Open”.

Figure 3.0 Auto-executable cell

Looking at the code in Excel is quite intimidating and following it manually will also be time consuming. So to quickly analyze the Excel4 macro code, we run our modified version of olevba to dump the Excel4 macro code to file and run our own XLM parser to see what the code does.

Figure 4.0 Running modified olevba tool on sample

Figure 4.1 Running xlm_parse on extracted XLM code from olevba

With this we can now see that the code simply attempts to download a file from hxxps://www[.]remsoft[.]it/conrol/pack.php, save it to C:ProgramDatavKrJuyZ.exe and execute it via ShellExecute.

Final Payload: A Gozi Malware Variant

The final payload is a variant of the Gozi malware family, which monitors network traffic and may attempt to steal login credentials from browsers or mail applications.

This variant also makes use of WMI Query Language to gather data about the system it is running on, which is then added to the info it sends out to its server.

Figure 5.0 Gozi WMI Query

Figure 5.1 Collected system information

Figure 5.2 Gozi ISFB RM3 Config

Indicators of Compromise

Email Subject: Important information about CoVid-19 – 1208302495 / 1208302495

Email SHA256: 782FE75B25105E479F05A248BA03F6B2B7BCBE3EF42588B88FC7335FDE2AFA9A

Attachment: dmitry.nosickow-1208302495-.xls

Attachment SHA256: 3a9bf49d9fd37eafc03241183b906b7c326e6bb996a747c788d2593f431a322b

Attachment Detection: XLS/EncBook.B.gen!Camelot

Payload URL: hxxps://ambrella[.]it/licenza/bhostwindpackage.php

Payload SHA256: 1cffc61225af1735b653923723d82a40b68668450a7fbf843fcd9c057aca3aec

Payload Executable Path: C:ProgramDatanCjBmqQ.exe

Payload Detection: W32/Agent.BRU.gen!Eldorado

Email Subject: statement – ! 655079-655079

Email SHA256: 1edf92cca219c97029ae997f91ef8febdc2df807f887df68942af1517459429d

Attachment: mcerullo655079.xls

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Attachment Detection: XLS/EncBook.A.gen!Camelot

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Payload URL: hxxps://istitutobpascalweb[.]it/mynotescom/renoovohostinglilnuxadvanced.php

Payload SHA256: df11bd82dc0f4b9f5b3e15ad6e1bc575db769066f7797eb7872859c9013a74db

Payload Executable Path: C:RPJbYuRpvrDGVqrCLGjyS.exe

Payload Detection: W32/Agent.BRK.gen!Eldorado

Email Subject: [WARNING : MESSAGE ENCRYPTED]Co-Vid Important information- 462588175 / 462588175

Email SHA256: 1AE77BED5F3E42A7C2E087A68C19EBBDCEB46339564B937F6E40AA9BF39E641D

Attachment: keiran-462588175.xls

Attachment Detection: XLS/EncBook.B.gen!Camelot

Attachment SHA256: e35f99ba6352f36294435ae2216de027ba83fbcd678d8c4d6fb17fff8ffd205d

Payload URL: hxxps://www[.]remsoft[.]it/conrol/pack.php

Payload SHA256: 0f28ce7cab6badbfca27ce8907ef0c34b9d15a4e5c7034318097db815a534715

Payload Executable Path: C:ProgramDatavKrJuyZ.exe

Payload Detection: W32/Kryptik.ARD

How to Protect Against Excel Malware

There are a few different ways you can protect your business from Excel malware attacks:

  • Ensure macros are disabled within any Microsoft Office applications. 
  • Do not open any suspicious emails or attachments.
  • Delete emails from unknown people or those that may contain suspicious Office 365 links or content. Spam or phishing emails are the usual way macro malware spreads.
  • Run executable content by using ASR rules.

Final Thoughts

Ready to learn more about how you can protect your business from O365 Excel malware attacks? Request a demo with the Cyren team today.

References