New wave of malicious XLS files spreading Zloader

The SonicWall Capture Labs Threat Research Team has observed a new wave of malicious Excel files distributing Zloader.

From the onset of 2020, we have observed malware campaigns using the Macro 4 feature available in Microsoft Excel, which we have written about in our previous blog posts.

Thus far, malicious Excel files used for spreading Zloader have contained the following characteristics:

Two Sheets: Some of them had one visible sheet and one other sheet hidden whereas in others both the sheets are visible
Auto_Open name is not visible in the Name Manager dialog box; and
Excel in-built functions CHAR or MID were used to operate upon cell data which were later joined using concatenation operator '&' to construct further instructions

Fig-1: Excel file used earlier by Zloader

Transformations observed in this new wave of MS-Excel files :

Excel has more than 2 sheets with one visible worksheet and remaining sheets, including a macro sheet, are hidden
Auto_Open is visible in the name manager dialog box;
Data is simply retrieved from cells, joined using a concatenation operator to construct further instructions; and

This re-modelling gives the file a more legitimate appearance.

Fig-2: Excel with visible and hidden sheets

Fig-3: Auto_Open name visible in Name Manager dialog box

Fig-4: Plain cell data reading and concatenation

These files were created either on 3rd or 4th June 2020 which indicates the freshness of samples and RTDMI detection effectiveness.

Fig-5: RTDMI Detection

Indicators Of Compromise:

SHA256 of Malicious MS-Excel files:

41879c115ae2a85d0a136d62b6169e95756f0b9bd8f47e32238a4e2e26e0fc03
5c264ad2647000a4e260ff5f60df04a2d9b24676dc7b4bc45e07e1b70c053b0c
cffef738b2ec86d56432f0a988cf4a8511bf813515edc91b2e1d6729d5f1cfef
0c47d7fe4c8d6563fd4c616080703a974d04694658b23c2d36ecc03b03eeec32
b24019b7b02989bb5e02e5243d704d63bab71442613574a7d4a3a69a8b36541e
9c1d837a523f86c8117be3a607f1910e248993e6e77c47bb86b17eec2503e627
56a662fcfaa103edd1fc45ed24c7e974662136a95c2191e65f46702b4d98a7ea
0e186d534befcd860e2618d4cf77af6180effe42b07cecde75164142e2090ff4
2a0d637ff6bcdf1fd37905fb84926e7ef35190fc62e97f3305b1da65b9f15a8f
f83f7117ddab2be46f57000e3623a22f15f46da2c4878000bb8de87c9b2ebba9

Network Connectivity:

https://destgrena[.]at/3/tsk.dll

SHA256 of payload:

444a977a2d0768f115fef0704a3f067d937823877a8202a4796425a58f49b6e0
1526e62be6b34c6ea39220569f90e44cf04efccaa4b4ed75af8a4f669f10b2e9
06a297b1c6b0b25ef3cc3ca6c77ad62e2ff5bd801c8cb9c081fbb4ea90d313fa
363d8b43541e37ae9b25a5fd6b6eef5245fc667c449b3d37e45a3de15d60780b
6c95e2eeeb98b0557a849e972ad26d2c77e7d9d8bfbd45ec680cfb6eb508667c
8cbe7c61e8b1bd3d2187b9e7f10449dfcb4f20c309cf768433f164dc83149a1a
327b41d9bcad614f2e62b3e838ae9a1237dc0bd3ed17c59e1290abf596e5f178
b22779f52daffae57465b8becfa4e19240304d6e835ffe4448fa4d5588a2e9cc
e27bcec6ccb48108abdf87328d0e260de1036df851af20317061da2419734d1f

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.