Invoice ZLoader campaign hides within encrypted Excel docs

Emails use fake new IRS taxation rules to lure victims

Security researchers have discovered a new, sophisticated infection chain technique of delivering malware via invoicing-themed spam campaigns.

According to cyber security firm Forcepoint, the campaigns have been running since February 2021, seemingly every week, with a two-three day campaign before moving to a new lure regarding IRS taxation rules. 

Researchers said that the campaign’s goal is to install ZLoader malware - a banking and data exfil trojan - but the malware’s obfuscation inside an encrypted Excel file means the cyber criminals may avoid detection.

The emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains only a few simple sentences. For example, claiming to outline new IRS taxation rules and asking recipients to review all attached information, according to researchers.

These emails’ common feature is a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML has an advantage in its compatibility with web-based technologies. 

There is no visible difference between using this format over the more typical OLE or DOCX. Still, it’s been popular amongst cyber criminals for years due to the technical challenges it might pose to security products, according to researchers.

While Microsoft Word is configured to have macros disabled, should a victim enable macros, it launches a VBA project that forces Excel to download and decrypt a spreadsheet from the specified C2 server.

Upon investigating this downloaded spreadsheet, researchers found there were no macros present. They found five sheets, some containing strings and Excel functions in seemingly random cells/order, and a large blob of encoded data in the fourth sheet.

“Anybody with previous experience working with encoded content will easily see that base64 encoding is used,” said researchers.

Researchers said the base64 data was the final payload. A function in the malicious Excel spreadsheet decodes and executes the “ThisWorkbook.gykvtla” payload.

Researchers said this campaign’s payload was ZLoader. This highly popular multi-purpose malware acts as a banking trojan and helps distribute ransomware families in the past, such as Ryuk and Egregor.

“How the operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen,” said researchers.

Researchers added this phishing campaign’s creators “are showcasing skills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.”

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

RATDispenser evades nine in ten anti-virus engines
Security

RATDispenser evades nine in ten anti-virus engines

24 Nov 2021
Hackers use Linux backdoor on compromised e-commerce sites with software skimmer
malware

Hackers use Linux backdoor on compromised e-commerce sites with software skimmer

19 Nov 2021
TikTok phishing campaign tried to scam over 125 influencer accounts
social media

TikTok phishing campaign tried to scam over 125 influencer accounts

18 Nov 2021
Out-of-hours ransomware attacks have a greater impact on revenue
ransomware

Out-of-hours ransomware attacks have a greater impact on revenue

18 Nov 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
How to speed up Windows 11
Microsoft Windows

How to speed up Windows 11

7 Jan 2022
Solving cyber security's diversity problem
Careers & training

Solving cyber security's diversity problem

5 Jan 2022