New wave of malicious XLS files spreading Zloader
The SonicWall Capture Labs Threat Research Team has observed a new wave of malicious Excel files distributing Zloader. From the onset of 2020, we have observed malware campaigns using the Macro 4 feature available in Microsoft Excel, which we have written about in our previous blog posts. Thus far, malicious Excel files used for spreading Zloader have contained the following characteristics:
- Two Sheets: Some of them had one visible sheet and one other sheet hidden whereas in others both the sheets are visible
- Auto_Open name is not visible in the Name Manager dialog box; and
- Excel in-built functions CHAR or MID were used to operate upon cell data which were later joined using concatenation operator ‘&’ to construct further instructions
Transformations observed in this new wave of MS-Excel files :
- Excel has more than 2 sheets with one visible worksheet and remaining sheets, including a macro sheet, are hidden
- Auto_Open is visible in the name manager dialog box;
- Data is simply retrieved from cells, joined using a concatenation operator to construct further instructions; and
This re-modelling gives the file a more legitimate appearance.
These files were created either on 3rd or 4th June 2020 which indicates the freshness of samples and RTDMI detection effectiveness.
Indicators Of Compromise: SHA256 of Malicious MS-Excel files:
SHA256 of payload: