Invoice ZLoader campaign hides within encrypted Excel docs

Malware in code
(Image credit: Shutterstock)

Security researchers have discovered a new, sophisticated infection chain technique of delivering malware via invoicing-themed spam campaigns.

According to cyber security firm Forcepoint, the campaigns have been running since February 2021, seemingly every week, with a two-three day campaign before moving to a new lure regarding IRS taxation rules.

Researchers said that the campaign’s goal is to install ZLoader malware - a banking and data exfil trojan - but the malware’s obfuscation inside an encrypted Excel file means the cyber criminals may avoid detection.

The emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains only a few simple sentences. For example, claiming to outline new IRS taxation rules and asking recipients to review all attached information, according to researchers.

These emails’ common feature is a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML has an advantage in its compatibility with web-based technologies.

There is no visible difference between using this format over the more typical OLE or DOCX. Still, it’s been popular amongst cyber criminals for years due to the technical challenges it might pose to security products, according to researchers.

While Microsoft Word is configured to have macros disabled, should a victim enable macros, it launches a VBA project that forces Excel to download and decrypt a spreadsheet from the specified C2 server.

Upon investigating this downloaded spreadsheet, researchers found there were no macros present. They found five sheets, some containing strings and Excel functions in seemingly random cells/order, and a large blob of encoded data in the fourth sheet.

“Anybody with previous experience working with encoded content will easily see that base64 encoding is used,” said researchers.

Researchers said the base64 data was the final payload. A function in the malicious Excel spreadsheet decodes and executes the “ThisWorkbook.gykvtla” payload.

Researchers said this campaign’s payload was ZLoader. This highly popular multi-purpose malware acts as a banking trojan and helps distribute ransomware families in the past, such as Ryuk and Egregor.

“How the operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen,” said researchers.

Researchers added this phishing campaign’s creators “are showcasing skills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.”

Rene Millman

Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.