IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Invoice ZLoader campaign hides within encrypted Excel docs

Emails use fake new IRS taxation rules to lure victims

Security researchers have discovered a new, sophisticated infection chain technique of delivering malware via invoicing-themed spam campaigns.

According to cyber security firm Forcepoint, the campaigns have been running since February 2021, seemingly every week, with a two-three day campaign before moving to a new lure regarding IRS taxation rules. 

Researchers said that the campaign’s goal is to install ZLoader malware - a banking and data exfil trojan - but the malware’s obfuscation inside an encrypted Excel file means the cyber criminals may avoid detection.

The emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains only a few simple sentences. For example, claiming to outline new IRS taxation rules and asking recipients to review all attached information, according to researchers.

These emails’ common feature is a Microsoft Word attachment in MHTML format with a randomly generated filename. MHTML has an advantage in its compatibility with web-based technologies. 

There is no visible difference between using this format over the more typical OLE or DOCX. Still, it’s been popular amongst cyber criminals for years due to the technical challenges it might pose to security products, according to researchers.

While Microsoft Word is configured to have macros disabled, should a victim enable macros, it launches a VBA project that forces Excel to download and decrypt a spreadsheet from the specified C2 server.

Upon investigating this downloaded spreadsheet, researchers found there were no macros present. They found five sheets, some containing strings and Excel functions in seemingly random cells/order, and a large blob of encoded data in the fourth sheet.

“Anybody with previous experience working with encoded content will easily see that base64 encoding is used,” said researchers.

Researchers said the base64 data was the final payload. A function in the malicious Excel spreadsheet decodes and executes the “ThisWorkbook.gykvtla” payload.

Researchers said this campaign’s payload was ZLoader. This highly popular multi-purpose malware acts as a banking trojan and helps distribute ransomware families in the past, such as Ryuk and Egregor.

“How the operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen,” said researchers.

Researchers added this phishing campaign’s creators “are showcasing skills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.”

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Protecting healthcare from cybercrime
Whitepaper

Protecting healthcare from cybercrime

25 May 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The truth about cyber security training
Whitepaper

The truth about cyber security training

25 Apr 2022
The Total Economic Impact™ of Mimecast
Whitepaper

The Total Economic Impact™ of Mimecast

25 Apr 2022

Most Popular

Actively exploited server backdoor remains undetected in most organisations' networks
cyber attacks

Actively exploited server backdoor remains undetected in most organisations' networks

1 Jul 2022
Macmillan Publishers hit by apparent cyber attack as systems are forced offline
Security

Macmillan Publishers hit by apparent cyber attack as systems are forced offline

30 Jun 2022
Former Uber security chief to face fraud charges over hack coverup
data breaches

Former Uber security chief to face fraud charges over hack coverup

29 Jun 2022