Written by: Lakshya Mathur<\/p>\n
Excel-based malware has been around\u00a0for decades\u00a0and\u00a0has been\u00a0in\u00a0the\u00a0limelight in recent years.\u00a0During the second half of 2020,\u00a0we saw adversaries using Excel 4.0 macros,\u00a0an\u00a0old technology,\u00a0to deliver payloads to their\u00a0victims. They were mainly using workbook streams\u00a0via the\u00a0XLSX file format.\u00a0In these\u00a0streams,\u00a0adversaries were able to enter code straight into\u00a0cells\u00a0(that\u2019s why they were called macro-formulas).\u00a0<\/span>Excel 4.0 also used API level functions like downloading a file, creation of files,\u00a0invocation of other processes like PowerShell,\u00a0cmd, etc.\u00a0<\/span>\u00a0<\/span><\/p>\n With the evolution of technology,\u00a0AV vendors started to detect these\u00a0malicious\u00a0Excel documents\u00a0effectively\u00a0and\u00a0so to have more obfuscation and evasion routines attackers began to shift to\u00a0the\u00a0XLSM file format. In the first\u00a0half\u00a0of 2021,\u00a0we have seen a surge of XLSM malware delivering different family payloads (as shown in below infection chart). In XLSM adversaries make use of\u00a0Macrosheets\u00a0to enter their malicious code directly into the cell formulas. XLSM structure is\u00a0the\u00a0same as XLSX,\u00a0but XLSM files support VBA macros which\u00a0are\u00a0more advanced technology of Excel 4.0 macros. Using these\u00a0macrosheets,\u00a0attackers were able to access powerful windows functionalities and since this technique is new and highly obfuscated it\u00a0can\u00a0evade many AV detections.<\/span>\u00a0<\/span><\/p>\n Excel 4.0 and XLSM\u00a0are both known to download other malware payloads\u00a0<\/span>like\u00a0ZLoader,\u00a0Trickbot,\u00a0Qakbot,\u00a0Ursnif,\u00a0IcedID,\u00a0etc.<\/span>\u00a0<\/span><\/p>\n The above figure shows\u00a0the\u00a0Number of samples\u00a0weekly\u00a0detected by\u00a0the\u00a0detected name\u00a0<\/span>\u201cDownloader-FCEI\u201d<\/span><\/i>\u00a0which specifically targets XLSM\u00a0macrosheet\u00a0based malware.<\/span>\u00a0<\/span><\/p>\n XLSM Structure<\/span><\/b>\u00a0<\/span><\/p>\n XLSM files are spreadsheet files\u00a0that\u00a0support macros. A macro is a set of instructions\u00a0that\u00a0performs a record of steps repeatedly. XLSM files are based upon Open XLM formats that were introduced in Microsoft Office 2007. These file types are like XLSX but in addition,\u00a0they support macros.<\/span>\u00a0<\/span><\/p>\n Talking about the XLSM structure when we unzip the\u00a0file,\u00a0we\u00a0see four basic contents of the file, these are shown\u00a0below.<\/span>\u00a0<\/span><\/p>\n We will focus more on\u00a0the\u00a0\u201cxl\u201d\u00a0folder contents.\u00a0This folder contains all the excel file main contents like\u00a0all the worksheets, media files, styles.xml file, sharedStrings.xml file, workbook.xml\u00a0file,\u00a0etc. All these files and folders have\u00a0data related to different aspects of\u00a0the\u00a0excel file. But for XLSM files we will focus on one unique folder called\u00a0macrosheets.<\/span>\u00a0<\/span><\/p>\n These XLSM files contain\u00a0macrosheets\u00a0as shown in figure-2\u00a0which are nothing but\u00a0XML\u00a0sheet files\u00a0that\u00a0can support macros. These sheets are not available in other Excel file formats.\u00a0In\u00a0the\u00a0past\u00a0few\u00a0months,\u00a0we have seen a huge surge in XLSM file-type malware in which attackers store malicious strings hidden within these\u00a0macrosheets. We will see more details about such malware in this blog.<\/span>\u00a0<\/span><\/p>\n To explain further how attackers use<\/span>s<\/span>\u00a0XLSM files we have taken a\u00a0<\/span>Qakbot<\/span>\u00a0sample with SHA 91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e.<\/span><\/span>\u00a0<\/span><\/p>\n The infection chain for both Excel 4.0\u00a0Qakbot\u00a0and XLSM\u00a0Qakbot\u00a0is similar. They both downloads\u00a0dll\u00a0and execute it using rundll32.exe with\u00a0DllResgisterServer\u00a0as the export function.<\/span>\u00a0<\/span><\/p>\n On opening the XLSM file there is an image\u00a0that\u00a0prompts\u00a0the\u00a0user to enable the content. To look\u00a0legitimate\u00a0and clean malicious actors use a very\u00a0official-looking template as shown below.<\/span><\/p>\n On digging\u00a0<\/span>deeper,<\/span>\u00a0we see its internal workbook.xml file.<\/span><\/span>\u00a0<\/span><\/span><\/p>\n Now as we can see in the workbook.xml file\u00a0(Figure-5), there\u00a0is\u00a0a\u00a0total\u00a0of\u00a06 sheets and\u00a0their\u00a0state is hidden.\u00a0Also,\u00a0two cells\u00a0have\u00a0a\u00a0predefined name and one of them is\u00a0<\/span>Sheet2323!$A$1\u00a0<\/span><\/b>defined as\u00a0<\/span>\u201c_xlnm.Auto_Open\u201d<\/span><\/b>\u00a0which is\u00a0similar to\u00a0Sub\u00a0Auto_Open() as we generally see in macro files. It automatically runs the macros when\u00a0the\u00a0user clicks on Enable Content.\u00a0<\/span>\u00a0<\/span><\/p>\n As we saw in Figure-3\u00a0on opening the file, we only see the enable content image. Since the state of sheets was\u00a0hidden, we can right-click on the main sheet tab and we will see unhide option there, then we can select each sheet to unhide it. On hiding the sheet and change the font color to red we saw some random strings\u00a0as seen in\u00a0figure 6.<\/span>\u00a0<\/span><\/p>\n These<\/span>\u00a0hidden sheets contain malicious strings in\u00a0<\/span>an<\/span>\u00a0obfuscated manner. So, on\u00a0<\/span>analy<\/span>zing<\/span>\u00a0more we observed that sheets inside\u00a0<\/span>the\u00a0<\/span>macrosheets<\/span>\u00a0folder contain these malicious strings.<\/span><\/span>\u00a0<\/span><\/p>\n Now as we can\u00a0in figure-7\u00a0different tags are used in this\u00a0XML\u00a0sheet file. All the malicious strings are present in two tags <f> and <v> tags inside <sheetdata> tags. Now let\u2019s look more in detail about these tags.<\/span>\u00a0<\/span><\/p>\n <v> (Cell Value) tags are used to store values inside the cell. <f> (Cell Formula) tags are used to store formulas inside the cell. Now in the above sheet <v> tags contain the cached formula value based on the last time formula was calculated. Formula cells contain formulas like \u201cGOTO(Sheet2!H13)\u201d, now as we can see here attackers can store different formulas while referencing cells from different sheets. These operations are done to produce more and more obfuscated sheets and\u00a0evade\u00a0AV signatures.<\/span>\u00a0<\/span><\/p>\n When\u00a0the user clicks\u00a0on the enable content button the execution starts from\u00a0the\u00a0Auto_Open\u00a0cell, after which each sheet formula will start to execute one by one. The final\u00a0deobfuscated\u00a0string is\u00a0shown below.<\/span>\u00a0<\/span><\/p>\n Here\u00a0the\u00a0<\/span>URLDownloadToFIleA<\/span><\/a>\u00a0API\u00a0is used to download the payload and the string \u201cJJCCBB\u201d is used to specify data types to call\u00a0<\/span>the<\/span><\/a>\u00a0API.\u00a0There are multiple URI\u2019s and from one of them,\u00a0the\u00a0DLL payload gets downloaded and saved as ..\\\\lertio.cersw. This DLL payload is then executed using rundll32. All these malicious activities\u00a0get\u00a0carried out using various excel based formulas like REGISTER, EXEC, etc.<\/span>\u00a0<\/span><\/p>\n McAfee\u2019s Endpoint products detect this variant of malware\u00a0as\u00a0below:<\/span>\u00a0<\/span><\/p>\n The main malicious document with SHA256 (<\/span>91a1ba70132139c99efd73ca21c4721927a213bcd529c87e908a9fdd71570f1e<\/span>) is detected as \u201c<\/span>Downloader-FCEI<\/span><\/b>\u201d\u00a0with current DAT files.<\/span>\u00a0<\/span><\/p>\n Additionally, with the help of McAfee\u2019s Expert rule feature, customers can\u00a0add a custom behavior\u00a0rule,\u00a0specific to this infection pattern.<\/span>\u00a0<\/span><\/p>\n Rule {<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0 Process {<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Include OBJECT_NAME { -v “EXCEL.exe” }<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0 }<\/span><\/i>\u00a0<\/span><\/p>\n Target {<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Match PROCESS {<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Include OBJECT_NAME { -v “rundll32.exe” }<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Include PROCESS_CMD_LINE { -v “* ..\\\\*.*,DllRegisterServer” }<\/span><\/i> \u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0Include -access “CREATE”<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0}<\/span><\/i>\u00a0<\/span><\/p>\n \u00a0\u00a0}<\/span><\/i>\u00a0<\/span><\/p>\n }<\/span><\/i>\u00a0<\/span><\/p>\n McAfee advises all users to avoid opening any email attachments or clicking any links present in the mail without verifying the identity of the sender. Always disable the Macro execution for Office files. We advise everyone to read our blog on these types of malicious XLSM files and\u00a0their\u00a0obfuscation techniques to understand more about the threat.<\/span>\u00a0<\/span><\/p>\n Different techniques & tactics are used by the malware to\u00a0propagate,\u00a0and we mapped these with the MITRE ATT&CK platform.<\/span>\u00a0<\/span><\/p>\n XLSM malware has\u00a0been seen delivering many\u00a0malware\u00a0families.\u00a0Many major families like\u00a0Trickbot,\u00a0Gozi,\u00a0IcedID,\u00a0Qakbot\u00a0are using these XLSM\u00a0macrosheets\u00a0in high quantity to deliver their payloads.\u00a0These attacks are still evolving and keep on using various obfuscated strings to exploit various windows utilities\u00a0like rundll32, regsvr32, PowerShell, etc.<\/span>\u00a0<\/span><\/p>\n Due to security concerns, macros are disabled by default in Microsoft Office applications. We suggest it is\u00a0only\u00a0safe to enable them when the document received is from a trusted source\u00a0and macros serve an expected purpose.<\/span>\u00a0<\/span><\/p>\n","protected":false},"excerpt":{"rendered":" Written by: Lakshya Mathur Excel-based malware has been around\u00a0for decades\u00a0and\u00a0has been\u00a0in\u00a0the\u00a0limelight in recent years.\u00a0During the second half of 2020,\u00a0we saw…<\/p>\n","protected":false},"author":695,"featured_media":125690,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[180],"coauthors":[4136],"class_list":["post-125621","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs","tag-malware"],"acf":[],"yoast_head":"\nD<\/span>etailed<\/span> Technical Analysis<\/span>\u00a0<\/span><\/h2>\n
\n
Infection Chain<\/span><\/span><\/h3>\n
XLSM Threat Analysis<\/span><\/b>\u00a0<\/span><\/h2>\n
Coverage and prevention guidance:<\/span><\/b>\u00a0<\/span><\/h2>\n
\n
Conclusion<\/span><\/b>\u00a0<\/span><\/h2>\n