Security researchers from NVISO discovered the destructive Excel files that deliver malware through VBA-activated spreadsheets. The project seems run by a single danger actor, based upon the minimal variety of samples readily available.
Malware authors utilize a brand-new technique that lets them create macro-laden Excel workbooks without utilizing Microsoft Office.
Harmful Excel Documents
The very first sample using this technique was observed on the 22nd of June 2020, and considering that then 200+ destructive files were found over a duration of 2 months.
The following are the countries that are mainly targeted includes the United States, Czech Republic, France, Germany, as well as China.
The OOXML is an Open Packaging Conventions (OPC) format that primarily consists of XML files and some binary files.
NVISO thinks that particular harmful Excel document creation method is likely to be observed more in the wild.
As soon as the user opens the harmful documents a second-stage payload gets download from various websites managed by malware authors.
All the destructive files have the VBA job safeguarded with a password and to open the VBA task only it needs the password. For malware execution no password is required, if user opens the document password will get executed.
Attackers utilize corporate email accounts to start the spam campaign, it was not know how they leveraged control over these accounts.
” Looking at both sender and recipient, there doesnt seem a pattern we can deduce to identify possible new targets. There does not seem to be a specific sector targeted nor are the sending out domains associated with each other.”
” When a VBA project is produced with EPPlus, it does not consist of put together VBA code. EPPlus has no techniques to develop put together code: the algorithms to produce put together VBA code are exclusive to Microsoft,” reads NVISO article.
According to NVISO analysis, the destructive files were found to be created using EPPlus software in the format Office Open XML (OOXML).
The second-stage payload acts as a dropper for the final payload, Antivirus engines detect the malware as “AgentTesla”.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates
Lazarus APT Hackers Attack Japanese Organization Using Remote SMB Tool “SMBMAP” After Network Intrusion
PoetRAT– New Python RAT Attacking Government and Energy Sector Via Weaponized Word Documents