Hackers weaponize Excel documents primarily due to their widespread use and the inherent vulnerabilities within the software.
With Microsoft blocking VBA macros by default, hackers have shifted to exploiting “.XLL” files as a means to deliver malware.
Fortinet researchers recently identified that hackers have been actively attacking Windows users with weaponized Excel documents to deliver Remcos RAT.
FortiGuard Labs discovered one of the complex phishing attacks in an effort when they received an email with a malicious Excel file masquerading as an order file.
If opened, that document makes use of the Microsoft Office Remote Code Execution vulnerability tracked by “CVE-2017-0199” that initiates the download of an “HTA” (HTML Application) file with a short url “hxxps://og1[.]in/2Rxzb3” which leads redirect to the link “hxxp://192[.]3[.]220[.]22/xampp/en/cookienetbookinetcahce.hta.”Mshta.exe which is a Windows application that executes HTA files through DCOM components, uses JavaScript, VBScript, Base64 encoding, URL encoding, and Power shell scripts to hide information under multiple layers of obfuscation.
Managed Detection and Response Buyer’s Guide – Free Download (PDF)
The process continues in a way that the HTA file is downloading an executable with the name “dllhost.exe” into %AppData% directory using the URLDownloadToFile() API.
Once executed, dllhost.exe extracts multiple files into %AppData%intercessionateFavourablies117sulfonylurea and initiates a 32-bit PowerShell process (C:WindowsSysWOW64WindowsPowerShellv1.0powershell.exe) that reads and executes heavily obfuscated code from “Aerognosy.Res” using Invoke-Expression (iEx).
The final payload includes Remcos, a commercial RAT that, although legitimately sold online with advanced remote control capabilities, is being abused by threat actors to harvest sensitive information and control victims’ computers.
The report reads that the malware achieves persistence by copying dllhost.exe to %temp% as “Vaccinerende.exe,” hiding the “PowerShell” process in the background, loading malicious code from “Valvulate.Cru”, and deploying it in memory via “VirtualAlloc()” and “CallWindowProcA()” APIs. Ultimately, the malware establishes full remote control over the compromised system.
The malware employs a multi-stage chain of attacks that begins with PowerShell exploitation.
The first phase implements advanced anti-analysis techniques, and they are:-
- Code that contains self-decrypting cells and is wrapped within useless instructions.
- Vectored exception handlers that can assist in controlling debug efforts.
- Dynamic API resolution through PEB access at fs:[30h].
- Various anti-debugging mechanisms (ThreadHideFromDebugger (0x11) checks and ProcessDebugPort monitoring)
Malware then uses process hollowing by creating an instance of the hollowed “Vaccinerende.exe” which was fetched from “dllhost.exe” and suspended with the “CREATE_SUSPENDED flag.”
It makes use of APIs such as “NtAllocateVirtualMemory” and “NtMapViewOfSection” among others.
In order to maintain the infection mode, a key is created into the Auto_Run registry entry located at “HKCUSoftwareMicrosoftWindowsCurrentVersionRun.”
The last part retrieves an encrypted Remcos RAT Variant 5.1.2 Pro from hxxp[:]//192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin which is decoded and launched in RAM with the help of the operational functionality provided by the Bios function “NtCreateThreadEx.”
This modification of Remcos uses packets that are packed using Packet Magic (“0xFF0424”), contain the Command Data Size, command the C&C server operating at 107[.]173[.]4[.]16:2404 and have a Command ID for registration that includes 0x4K and several system files identified by the limited character x7Cx1Ex1Ex1Fx7C.
This allows to execution of remote spying and control functions like “Keylogger,” “Screenshot,” and “Process manipulation” via a “57-value configuration block,” which is located in the “SETTINGS.”
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!