New wave of malicious XLS files spreading Zloader

June 5, 2020

The SonicWall Capture Labs Threat Research Team has observed a new wave of malicious Excel files distributing Zloader. From the onset of 2020, we have observed malware campaigns using the Macro 4 feature available in Microsoft Excel, which we have written about in our previous blog posts. Thus far, malicious Excel files used for spreading Zloader have contained  the following characteristics:

  • Two Sheets: Some of them had one visible sheet  and one other sheet hidden whereas in others both the sheets are visible
  • Auto_Open name is not visible in the Name Manager dialog box; and
  • Excel in-built functions CHAR or MID were used to operate upon cell data which were later joined using concatenation operator ‘&’ to construct further instructions

Fig-1: Excel file used earlier by Zloader

Transformations observed in this new wave of MS-Excel files :

  • Excel has more than 2 sheets with one visible worksheet and remaining sheets, including a macro sheet, are hidden
  • Auto_Open is visible in the name manager dialog box;
  • Data is simply retrieved from cells, joined using a concatenation operator to construct further instructions; and

This re-modelling gives the file a more legitimate appearance.

Fig-2: Excel with visible and hidden sheets

Fig-3: Auto_Open name visible in Name Manager dialog box

Fig-4: Plain cell data reading and concatenation

  These files were created either on 3rd or 4th June 2020 which indicates the freshness of samples and RTDMI detection effectiveness.  

Fig-5: RTDMI Detection

Indicators Of Compromise: SHA256 of Malicious MS-Excel files:

  • 41879c115ae2a85d0a136d62b6169e95756f0b9bd8f47e32238a4e2e26e0fc03
  • 5c264ad2647000a4e260ff5f60df04a2d9b24676dc7b4bc45e07e1b70c053b0c
  • cffef738b2ec86d56432f0a988cf4a8511bf813515edc91b2e1d6729d5f1cfef
  • 0c47d7fe4c8d6563fd4c616080703a974d04694658b23c2d36ecc03b03eeec32
  • b24019b7b02989bb5e02e5243d704d63bab71442613574a7d4a3a69a8b36541e
  • 9c1d837a523f86c8117be3a607f1910e248993e6e77c47bb86b17eec2503e627
  • 56a662fcfaa103edd1fc45ed24c7e974662136a95c2191e65f46702b4d98a7ea
  • 0e186d534befcd860e2618d4cf77af6180effe42b07cecde75164142e2090ff4
  • 2a0d637ff6bcdf1fd37905fb84926e7ef35190fc62e97f3305b1da65b9f15a8f
  • f83f7117ddab2be46f57000e3623a22f15f46da2c4878000bb8de87c9b2ebba9

Network Connectivity:

  • https://destgrena[.]at/3/tsk.dll

SHA256 of payload:

  • 444a977a2d0768f115fef0704a3f067d937823877a8202a4796425a58f49b6e0
  • 1526e62be6b34c6ea39220569f90e44cf04efccaa4b4ed75af8a4f669f10b2e9
  • 06a297b1c6b0b25ef3cc3ca6c77ad62e2ff5bd801c8cb9c081fbb4ea90d313fa
  • 363d8b43541e37ae9b25a5fd6b6eef5245fc667c449b3d37e45a3de15d60780b
  • 6c95e2eeeb98b0557a849e972ad26d2c77e7d9d8bfbd45ec680cfb6eb508667c
  • 8cbe7c61e8b1bd3d2187b9e7f10449dfcb4f20c309cf768433f164dc83149a1a
  • 327b41d9bcad614f2e62b3e838ae9a1237dc0bd3ed17c59e1290abf596e5f178
  • b22779f52daffae57465b8becfa4e19240304d6e835ffe4448fa4d5588a2e9cc
  • e27bcec6ccb48108abdf87328d0e260de1036df851af20317061da2419734d1f