We identified a potential campaign in preparation where the victim would receive a zip file containing a Malicious Excel file embedding Excel 4.0 Macros — requiring user interaction to infect the victim.

image

Malicious Excel File

The chain works as the following:

  • Victim receives a compressed archive (.xls.zip) file.
  • Once opened, the .xls file asks the user to enable macros to allow the document to connect to a remote server to send a web request that returns back the malicious macros to be executed. This is quiet ingenious as it allows some degree of flexibility to the attacker — but also to evade traditional detection since the malicious macros would not be inside the file.
  • Malicious macro downloads a dll which gets executed with regsvr32
  • Weirdly enough, the dll that gets downloaded is a 32-bits dll which WinExec() Windows’s Calculator application.

We found that the distributing domains are hosted on Alibaba Cloud. Details are provided at the end of the blog-post. Domains were registered on Feb 7, 2020 and Feb 10, 2020.

image

Web Query Dynamically Retrieving the DLL

image

Some you see it, sometimes you don’t.

It is unclear at this point if the attackers are just doing some scoping & testing on an upcoming campaign.

image

Malicious DLL executing WinExec(‘calc’)

image

Original DLL name appears to be w32-dll-run-shellcode.dll

The shellcode is pretty much an exact copy of a shellcode available on GitHub: which is a modified version of a 10 years old shellcode’s w32-bind-ngs-shellcode by another researcher.

This could be that attackers are in training and learning how to spam and infect victims, or also that those servers will be rotated with more malicious contents. It is also unclear if this campaign is connected to Dudear.

image

Detection on VirusTotal is still pretty low at the time of writing the article.

Key Recommendations:

  • Do not enable macros on files from unknown senders
  • Always be suspicious of legacy office files such as .XLS, .DOC or .RTF.
  • Make sure to have memory analysis as part of your incident response strategy to detect and assess potential infections on hosts. We can help you with our automated platform and utilities.
  • Consider using Application Guard for Microsoft Office.
  • Follow us on Twitter/ LinkedIn to stay informed about emerging campaigns and techniques.

Indicator of compromise (IoC):

Excel File Hashes:

95A90C0B8EC19142BF8BB125DDAABCFFE8D2CE41C6FD6A0836AD8F47C3CEA693
9F2439791D0773BE5E29730294F4635A3BAC4A0D3D1D537AAB5F9E8801C4281F
25F63735898AEFD98B8F9F9CD5E7F725B5A0E6626A65AD3AA2875E56B8AF6C09
47AA7E92B26278ED656ACEAE21DB6C6877C7A006E38F0E95F85EA07C99787E0B

Malicious DLL

85697BFC0E89C5499A46AEEC656B3B9FACD8B9FE7174B3DB9B2B9F7DBCBAAEDB

Domain Names & Servers:

Domains are sharing a common IP address, and to are hosted in Alibaba Cloud.

  • veqejzkb.xyz (Registered On 2020-02-10)
  • merystol.xyz (Registered On 2020-02-07)
  • 161.117.177.248