Improvements in malicious Excel files distributing Zloader
SonicWall Capture Labs threat research team has been observing improvements in MS Excel document used to distribute ZLoader. Enhancements include addition of techniques to evade detection from conventional signature-based anti-malware engines, hinder debugging and analysis in the sandbox.
In campaigns till now, victims were educated to enable macro through instructions either in plain ASCII text or an image file as shown in Fig1 which allowed their easy detection. To get away detection, threat actors instituted ASCII-Unicode character combination. When the file is searched for strings as displayed in the instruction, nothing is found. Upon careful inspection of SST records, it is noticed that the message is kept out of sight by cleverly positioning Unicode characters along with ASCII. For example, ‘O’ is represented in Unicode by U+041E. Similarly, Whitespace character is represented by U+00A0, as shown in Fig2 and Fig3
Use of Null Character in Label Names:
In MS-Excel, one can assign a human-readable name to refer a single cell or range of cells. What is more appealing in these documents, is the use of NULL characters in the label names making them invisible in functions where they are referred.
In the example below, label with NULL characters is referred in function FORMULA.FILL
The analyzed sample has Auto_open label in a hidden state. Upon execution, the macro further creates code at run time by concatenating characters as shown below:
Deobfuscated code :
GET.WORKSPACE(type_num) function returns information about the workspace where “type_num” specifies the type of information. "type_num” 31 is used to identify if the currently running macro is in single-step mode or not. If this function returns TRUE, the sample terminates execution.
It is usually seen that macros are enabled in a sandbox environment for unrestricted execution which means the value of “vbawarnings” in the registry would be set to 1. To prohibit easy execution and identification, the macro creates a VBS file with code to read data from the Windows registry.
- 1 = Enable macros
- 2 = Disable all with notification
- 3 = Disable all except digitally signed macros
- 4 = Disable all without notification
After successful verification, code specific to “Processor_Architectue” is executed. It is interesting to see the use of different “User-Agent” string in HTTP request for different “Processor_Architectue”.
Indicators of Compromise:
SHA256 of malicious Excel Documents: