Invoice ZLoader campaign hides within encrypted Excel docs

Emails use fake new IRS taxation rules to lure victims

Malware in code

Security researchers have discovered a new, sophisticated infection chain technique of delivering malware via invoicing-themed spam campaigns.

According to cyber security firm Forcepoint, the campaigns have been running since February 2021, seemingly every week, with a two-three day campaign before moving to a new lure regarding IRS taxation rules. 

Researchers said that the campaign’s goal is to install ZLoader malware - a banking and data exfil trojan - but the malware’s obfuscation inside an encrypted Excel file means the cyber criminals may avoid detection.

The emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains only a few simple sentences. For example, claiming to outline new IRS taxation rules and asking recipients to review all attached information, according to researchers.

These emails’ common feature is a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML has an advantage in its compatibility with web-based technologies. 

There is no visible difference between using this format over the more typical OLE or DOCX. Still, it’s been popular amongst cyber criminals for years due to the technical challenges it might pose to security products, according to researchers.

While Microsoft Word is configured to have macros disabled, should a victim enable macros, it launches a VBA project that forces Excel to download and decrypt a spreadsheet from the specified C2 server.

Upon investigating this downloaded spreadsheet, researchers found there were no macros present. They found five sheets, some containing strings and Excel functions in seemingly random cells/order, and a large blob of encoded data in the fourth sheet.

“Anybody with previous experience working with encoded content will easily see that base64 encoding is used,” said researchers.

Researchers said the base64 data was the final payload. A function in the malicious Excel spreadsheet decodes and executes the “ThisWorkbook.gykvtla” payload.

Researchers said this campaign’s payload was ZLoader. This highly popular multi-purpose malware acts as a banking trojan and helps distribute ransomware families in the past, such as Ryuk and Egregor.

“How the operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen,” said researchers.

Researchers added this phishing campaign’s creators “are showcasing skills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.”

Featured Resources

Unlocking collaboration: Making software work better together

How to improve collaboration and agility with the right tech

Download now

Four steps to field service excellence

How to thrive in the experience economy

Download now

Six things a developer should know about Postgres

Why enterprises are choosing PostgreSQL

Download now

The path to CX excellence for B2B services

The four stages to thrive in the experience economy

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
PowerShell threats increased over 200% last year
cyber security

PowerShell threats increased over 200% last year

14 Apr 2021
New DNS vulnerabilities put millions of IoT devices at risk
Internet of Things (IoT)

New DNS vulnerabilities put millions of IoT devices at risk

13 Apr 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
University of Hertfordshire's entire IT system offline after cyber attack
cyber attacks

University of Hertfordshire's entire IT system offline after cyber attack

15 Apr 2021
NSA uncovers new "critical" flaws in Microsoft Exchange Server
servers

NSA uncovers new "critical" flaws in Microsoft Exchange Server

14 Apr 2021