VelvetSweatshop Revival with Excel4 Macro Malware Delivers Gozi/Ursnif Amidst Covid-19 Chaos

by Maharlito Aquino and Carlo Panganiban

In the past month, we have been seeing a surge in Excel malware using Excel4 Macros (XLM) in hidden worksheets. Just a few weeks ago, malicious actors started reviving an age-old technique to further hide the malicious XLM code by leveraging the VelvetSweatshop secret password in Excel workbooks.

Excel4 Macro Analysis

The email attachments are encrypted Excel workbooks, which contain Excel4 (XLM) Formula macros found in hidden sheets. About 8 years ago, a default secret password used in Excel worksheets was exploited by malicious actors to deliver malware, and today this same secret password is being taking advantage of to thwart scan engines from easily detecting malicious Excel workbooks using Excel4 macros.

This can be checked by using msoffcrypto-tool to see if an Office document is encrypted and try to decrypt using the default secret password “VelvetSweatshop”.

Figure 1.0 Checking XLS sample with msoffcrypto-tool

Opening the decrypted Excel workbook, you may be able to unhide the hidden worksheets by right-clicking on the sheet tab and selecting “Unhide”. You may opt to unhide all the hidden sheets by simply selecting the sheet name from the dialog box and clicking on OK.

Figure 2.0 Unhiding hidden sheets in Excel

Once you have unhidden the hidden sheets, click on the label drop-down to check for any presence of auto-executable Excel4 Macros. In this case, the Excel4 Macro automatically run when the workbook is opened by using the built-in name “Auto_Open”.

Figure 3.0 Auto-executable cell

Looking at the code in Excel is quite intimidating and following it manually will also be time consuming. So to quickly analyze the Excel4 macro code, we run our modified version of olevba to dump the Excel4 macro code to file and run our own XLM parser to see what the code does.

Figure 4.0 Running modified olevba tool on sample

Figure 4.1 Running xlm_parse on extracted XLM code from olevba

With this we can now see that the code simply attempts to download a file from hxxps://www[.]remsoft[.]it/conrol/pack.php, save it to C:\ProgramData\vKrJuyZ.exe and execute it via ShellExecute.

Final Payload

The final payload is a variant of the Gozi malware family, which monitors network traffic and may attempt to steal login credentials from browsers or mail applications.

This variant also makes use of WMI Query Language to gather data about the system it is running on, which is then added to the info it sends out to its server.

Figure 5.0 Gozi WMI Query

Figure 5.1 Collected system information

Figure 5.2 Gozi ISFB RM3 Config

Indicators of Compromise

Email Subject: Important information about CoVid-19 -  1208302495 /  1208302495

Email SHA256: 782FE75B25105E479F05A248BA03F6B2B7BCBE3EF42588B88FC7335FDE2AFA9A

Attachment: dmitry.nosickow-1208302495-.xls

Attachment SHA256: 3a9bf49d9fd37eafc03241183b906b7c326e6bb996a747c788d2593f431a322b

Attachment Detection: XLS/EncBook.B.gen!Camelot

Payload URL: hxxps://ambrella[.]it/licenza/bhostwindpackage.php

Payload SHA256: 1cffc61225af1735b653923723d82a40b68668450a7fbf843fcd9c057aca3aec

Payload Executable Path: C:\ProgramData\nCjBmqQ.exe

Payload Detection: W32/Agent.BRU.gen!Eldorado

Email Subject: statement -  ! 655079-655079

Email SHA256: 1edf92cca219c97029ae997f91ef8febdc2df807f887df68942af1517459429d

Attachment: mcerullo655079.xls

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Attachment Detection: XLS/EncBook.A.gen!Camelot

Attachment SHA256: de568458357e128c3fc523781cd417d505a9b2c9df82604d91eea4f623750cea

Payload URL: hxxps://istitutobpascalweb[.]it/mynotescom/renoovohostinglilnuxadvanced.php

Payload SHA256: df11bd82dc0f4b9f5b3e15ad6e1bc575db769066f7797eb7872859c9013a74db

Payload Executable Path: C:\RPJbYuR\pvrDGVq\rCLGjyS.exe

Payload Detection: W32/Agent.BRK.gen!Eldorado

Email Subject: [WARNING :  MESSAGE ENCRYPTED]Co-Vid Important information-  462588175 /  462588175

Email SHA256: 1AE77BED5F3E42A7C2E087A68C19EBBDCEB46339564B937F6E40AA9BF39E641D

Attachment: keiran-462588175.xls

Attachment Detection: XLS/EncBook.B.gen!Camelot

Attachment SHA256: e35f99ba6352f36294435ae2216de027ba83fbcd678d8c4d6fb17fff8ffd205d

Payload URL: hxxps://www[.]remsoft[.]it/conrol/pack.php

Payload SHA256: 0f28ce7cab6badbfca27ce8907ef0c34b9d15a4e5c7034318097db815a534715

Payload Executable Path: C:\ProgramData\vKrJuyZ.exe

Payload Detection: W32/Kryptik.ARD

References

Go back