Excel with misleading macrosheet name spreading Zloader
SonicWall Capture Labs Threats Research team has been observing modifications in the techniques being used to distribute ZLoader using MS-Excel file. It all began around Jan 2020, when the first campaign was seen using XLM macro instead of the commonly used VBA macro. Since then, we have observed significant improvements like addition of evasion and sandbox bypassing techniques through XLM macro as already described in our previous blog.
This variant uses OOXML format based MS-Excel file. In the OOXML format based MS-Excel file, usually the XLM macro sheets are stored inside "macrosheets" folder. The sheets are named either "Sheet<digit>.xml" or "intlsheet<digit>.xml". This variant uses a completely different folder and file name to store macro sheet. The macro sheet and folder are named "foto.png" and "bioxr" respectively, as shown in the below image:
Engines looking for macro sheets specifically inside "macrosheets" folder might fail to identify these files as XLM based Macro files. After careful inspection of the "workbook.xml.rels" file, we found that both the folder and the file name for the macro sheet are misleading as shown below:
Upon opening the file, the user is displayed instructions to enable macro as shown below:
The sample contains two sheets, one is a hidden macro sheet. It has a defined name "Aut0_Open", which enables macro execution as soon as the file is opened. Font size in the sheet is kept small ( "2") to inhibit reading of the content.
Upon execution of XLM macro, payload belonging to Zloader family is downloaded and saved as C:\<random>\<random>\ServApi.exe
SonicWall Capture ATP protects against this threat as shown below:
Indicators of Compromise:
SHA256 of malicious Excel Files:
- Domain registred on 25-Feb-2021