ZLoader Malware Hidden in Encrypted Excel FileResearchers Describe Sophisticated Phishing Campaign
A new phishing campaign distributes ZLoader malware using advanced delivery techniques that demonstrate sophisticated understanding of Microsoft Office document formats and techniques, the security firm Forcepoint X-Labs reports.
The phishing emails use an invoicing lure, but the message varies, perhaps dealing with a bill already processed or describing new taxation rules from the Internal Revenue Service, the researchers say.
If the phishing victims enable macros in a Microsoft Word attachment, they trigger the download of an encrypted Excel sheet in which the final malware payload is hidden, Forcepoint X-Labs researchers say in their new report.
The ZLoader payload is a multipurpose Trojan that often acts as a dropper that delivers Zeus-based malware in multistage ransomware attacks, such as Ryuk and Egregor, the report notes.
The phishing campaign using the new distribution chain first started to appear in early February. The report's authors, researchers Robert Neumann and Kurt Natvig, tell Information Security Media Group that they saw about 10,000 phishing emails in February organized into what seem like weekly campaigns each lasting for two to three days.
The report describes the malicious attachment in these emails as a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML is a web page archive file format that is compatible with web-based technologies.
"There is no visible difference using this format over the more typical OLE (object linking and embedding) or DOCX, but it has been popular among cybercriminals for years due to the technical challenges it might pose to security products," the Forcepoint X-Labs researchers say.
The Microsoft Word attachment is configured to have macros disabled. If a victim enables macros, it launches a VBA (Visual Basic for Applications) project that forces Excel to download and decrypt a spreadsheet from the specified command-and-control server, the report notes.
The downloaded spreadsheet has no macros present. For example, one had five sheets, some containing strings and Excel functions in seemingly random cells/order and a large blob of encoded data in the fourth sheet, the researchers say.
"Anybody with previous experience working with encoded content will easily see that base64 encoding is used," the report notes. "The base64 is the final payload, which decodes and executes the payload by a function in the malicious Excel spreadsheet."
Using macros in one document to load a password-protected and encrypted Excel sheet means the Excel file will be somewhat invisible to on-access scanners on the endpoint, while no user interaction is necessary at all, Forcepoint X-Labs researchers note.
"The downloaded Excel file acts more as protected storage, containing strings and data necessary for successful execution, as well as the encoded payload," the researchers note. "Neither the MHTML document nor the Excel spreadsheet can work on its own, and the content of the latter is hidden from prying eyes."
Martin Jartelius, chief security officer at security firm Outpost24, says: "This malware is mainly advanced in the means of evasion of analysis due to its multistage nature, but it is still dependent on the same basic errors in user and organization security."
Tax and Invoicing Lures Still Work
Tim Helming, security evangelist at security firm DomainTools, adds: "Invoicing scams are effective because the recipient is likely to be receptive to anything that has to do with taxes and unpaid bills. Organizations should focus on prevention by investing in employee training. As the pieces of malicious software become harder to detect and able to cause more havoc, the case for anticipating attackers and strengthening the human factor in security is an even more compelling one."
In January, the IRS published a notification to tax professionals describing a phishing campaign that spoofs the agency, with fraudsters attempting to steal Electronic Filing Identification Numbers.