Hackers Update Age-Old Excel 4.0 Macro Attack

XLS files sent via emails appear password protected but aren’t, opening automatically to install malware from compromised macros, according to researchers.

Hackers have updated the age-old Excel malware attack technique with a new passwordless twist. Researchers have identified a new method that no longer requires victims to enter a password to open a danger document, more readily exposing them to potential malware infection.

Researchers from security firm Trustwave said they discovered a new malspam campaign that sends Excel 4.0 xls 97-2003 files with a compromised macro in email messages. The ploy is predictable and attempt to dupe users with themes ranging from fake invoices to COVID-19 related lures.

In past campaigns, this type of attack uses a password-protected Excel 4.0 document. The message body contains a password that attackers use to tempt targets with to open the Excel document. The idea is, a password protected Excel document is sent encrypted using Microsoft Enhanced Cryptographic Provider v1.0. The encryption layer often allows the malicious email to slip past email defenses. The document itself contains Excel 4.0 Macro sheets – one of which harbors a malicious macro.

The updated technique maintains the encrypted Excel document. It also still requires user interaction – in that users must still be tricked into opening the Excel document from inside the phishing email. The difference is, when a victim opens the password-protected document, hackers have devised a way that opens the encrypted and password-protected document without requiring the physical input of a password.

According to Trustwave researcher Diana Lopera, in a blog post outlining the discovery posted Friday, “A password has been applied to the Excel files, which used the Microsoft Enhanced Cryptographic Provider v1.0 algorithm to encrypt the attachments.”

Next, she explains, “Password protected documents can only be opened with the correct password as this is the key needed in the decryption process… Excel first attempts to open a password protected Excel file using [a] default password ‘VelvetSweatshop’ in read-only mode.”

In the background, the researchers said, the Excel document is opened using the pre-determined default password. “Hence, no password input was required from the user nor was a warning from the application prompted. The content of the XLS files were immediately displayed.”

That allows for the malicious Excel 4.0 document to follow a familiar infection routine.

The actors embedded malicious activity in macro sheets with random names. Contained within the Excel sheets is a malicious macro.

“The macro will download a binary from a compromised site, save it on disk under C drive, and execute them,” she said.

The macro links to a compromised site that hosts Gozi, a banking trojan that can ride along on a victim’s banking transactions, stealing credentials that are used to transfer funds from a victim’s account.

Indeed, the way Excel treats the file when a user clicks on it is a read-only bug that’s been known for more than 10 years, Trustwave researchers noted. Researchers at Mimecast Threat Center also discovered a campaign recently spreading the LimeRAT malware that takes advantage of a vulnerability regarding this read-only feature posted online in 2013.

Trustwave researchers said the threat is one of a raft of new malspam campaigns leveraging the password-protected Excel 4.0 macro to engage in malicious activity.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles