[BreachExchange] Hackers Update Age-Old Excel 4.0 Macro Attack

Destry Winant destry at riskbasedsecurity.com
Tue Apr 21 10:36:21 EDT 2020


XLS files sent via emails appear password protected but aren’t,
opening automatically to install malware from compromised macros,
according to researchers.

Hackers have updated the age-old Excel malware attack technique with a
new passwordless twist. Researchers have identified a new method that
no longer requires victims to enter a password to open a danger
document, more readily exposing them to potential malware infection.

Researchers from security firm Trustwave said they discovered a new
malspam campaign that sends Excel 4.0 xls 97-2003 files with a
compromised macro in email messages. The ploy is predictable and
attempt to dupe users with themes ranging from fake invoices to
COVID-19 related lures.

In past campaigns, this type of attack uses a password-protected Excel
4.0 document. The message body contains a password that attackers use
to tempt targets with to open the Excel document. The idea is, a
password protected Excel document is sent encrypted using Microsoft
Enhanced Cryptographic Provider v1.0. The encryption layer often
allows the malicious email to slip past email defenses. The document
itself contains Excel 4.0 Macro sheets – one of which harbors a
malicious macro.

The updated technique maintains the encrypted Excel document. It also
still requires user interaction – in that users must still be tricked
into opening the Excel document from inside the phishing email. The
difference is, when a victim opens the password-protected document,
hackers have devised a way that opens the encrypted and
password-protected document without requiring the physical input of a

According to Trustwave researcher Diana Lopera, in a blog post
outlining the discovery posted Friday, “A password has been applied to
the Excel files, which used the Microsoft Enhanced Cryptographic
Provider v1.0 algorithm to encrypt the attachments.”

Next, she explains, “Password protected documents can only be opened
with the correct password as this is the key needed in the decryption
process… Excel first attempts to open a password protected Excel file
using [a] default password ‘VelvetSweatshop’ in read-only mode.”

In the background, the researchers said, the Excel document is opened
using the pre-determined default password. “Hence, no password input
was required from the user nor was a warning from the application
prompted. The content of the XLS files were immediately displayed.”

That allows for the malicious Excel 4.0 document to follow a familiar
infection routine.

The actors embedded malicious activity in macro sheets with random
names. Contained within the Excel sheets is a malicious macro.

“The macro will download a binary from a compromised site, save it on
disk under C drive, and execute them,” she said.

The macro links to a compromised site that hosts Gozi, a banking
trojan that can ride along on a victim’s banking transactions,
stealing credentials that are used to transfer funds from a victim’s

Indeed, the way Excel treats the file when a user clicks on it is a
read-only bug that’s been known for more than 10 years, Trustwave
researchers noted. Researchers at Mimecast Threat Center also
discovered a campaign recently spreading the LimeRAT malware that
takes advantage of a vulnerability regarding this read-only feature
posted online in 2013.

Trustwave researchers said the threat is one of a raft of new malspam
campaigns leveraging the password-protected Excel 4.0 macro to engage
in malicious activity.

More information about the BreachExchange mailing list