Invoice ZLoader campaign hides within encrypted Excel docs

Emails use fake new IRS taxation rules to lure victims

Malware in code

Security researchers have discovered a new, sophisticated infection chain technique of delivering malware via invoicing-themed spam campaigns.

According to cyber security firm Forcepoint, the campaigns have been running since February 2021, seemingly every week, with a two-three day campaign before moving to a new lure regarding IRS taxation rules. 

Researchers said that the campaign’s goal is to install ZLoader malware - a banking and data exfil trojan - but the malware’s obfuscation inside an encrypted Excel file means the cyber criminals may avoid detection.

The emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains only a few simple sentences. For example, claiming to outline new IRS taxation rules and asking recipients to review all attached information, according to researchers.

These emails’ common feature is a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML has an advantage in its compatibility with web-based technologies. 

There is no visible difference between using this format over the more typical OLE or DOCX. Still, it’s been popular amongst cyber criminals for years due to the technical challenges it might pose to security products, according to researchers.

While Microsoft Word is configured to have macros disabled, should a victim enable macros, it launches a VBA project that forces Excel to download and decrypt a spreadsheet from the specified C2 server.

Upon investigating this downloaded spreadsheet, researchers found there were no macros present. They found five sheets, some containing strings and Excel functions in seemingly random cells/order, and a large blob of encoded data in the fourth sheet.

“Anybody with previous experience working with encoded content will easily see that base64 encoding is used,” said researchers.

Researchers said the base64 data was the final payload. A function in the malicious Excel spreadsheet decodes and executes the “ThisWorkbook.gykvtla” payload.

Researchers said this campaign’s payload was ZLoader. This highly popular multi-purpose malware acts as a banking trojan and helps distribute ransomware families in the past, such as Ryuk and Egregor.

“How the operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen,” said researchers.

Researchers added this phishing campaign’s creators “are showcasing skills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.”

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020
phishing

eBay, Apple, Microsoft, Facebook, and Google were phishers’ top targets in 2020

20 Apr 2021
Biden looks to shore up the electrical grid’s cyber security
Security

Biden looks to shore up the electrical grid’s cyber security

15 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021