Excel Maldocs Avoid Spam Filters and Antivirus Software

Everyone receives phishing emails with shady attachments, but most people never see them because they are shunted into the spam folder. Even if you go to the spam folder, it is unlikely you’ll ever see the attachments themselves. Yahoo won’t allow you to download any attachment found in the spam folder.

Gmail gives you the following warning.

And that’s the way it usually goes… but not any longer.

It seems that a new line of attack is able to bypass spam filters and include a malicious attachment (known as a maldoc) that is ready to be opened.

Now, at the outset, I should note that this is an attack vector that is only getting started. It appears that the creator of this technique has been using the VirusTotal website to check if they have produced an attachment that cannot be detected. This, in itself, is nothing unusual. It’s a cheap way for a hacker to tell how good their attachment is at avoiding detection by the most popular antivirus software. If too many antivirus programs detect the attachment as malware, the developer can go back to the lab and tweak their code and test it until it manages to avoid detection. When that time comes, they will launch a full scale attack.

As most people know, hackers want you to download and open a document to release whatever malware they have put into it. This is commonly done by convincing the victim to allow macros to operate, but what is a macro anyway? Macros are legitimate programs that can operate within Word or Excel. They are usually written by users to simplify repetitive tasks. Rather than format a monthly report every time you make it, you can save that format in a macro. But, for security reasons, Microsoft Office’s default will not allow macros to run automatically if the document they are included in come from an unrecognized source. That’s why when you try to open a document with a malicious macro, you will be asked if you really want to enable the macro contained within that document. The only hope the hacker really has is that you’ll click ‘yes’ and release their malware. Add to this that most spam filters look for suspicious macros in attachments and this becomes a very difficult vector for criminals to exploit.

But that’s never stopped hackers before. The key to this new attack is its using of something called the .NET library. This is code that is capable of running programs on multiple platforms, such as Windows and Linux. In other words, a hacker could write a program that can be opened in Excel but is not created through Excel. But so what?

These programs that can write Excel spreadsheets can be used to insert malicious code that cannot be readily detected by spam filters or antivirus software. If normal Word documents or Excel spreadsheets have VBA code written into them, most security programs are designed to detect it and warn those who may try to open these documents. But, not only did the attackers put malicious code into their documents, they protected the macro program that contained the malicious code with a password so that it could not be analyzed. This maneuver did not stop the code from running. It only stopped cybersecurity investigators from analyzing the code that they created. NVISO Labs determined that the attackers designed the Excel attachment with a tool from EEPlus which uses the .NET library. Those interested in the technical aspects of the attack can read their report for the details. For the purposes of this post, it is simply necessary to see how these malicious attachments are able to evade detection.

Thus, the victim may see, in their inbox, a message with an attached Excel spreadsheet. If the message seems to be from a valid source, if the message is well-written and appropriate, and if the attachment has a reasonable name, there is a fair chance that the victim may download and open it. So, let’s look at one of these phishing emails and see how it matches these criteria.

The subject line, “Quotation Request” is valid enough as is the name of the attachment, “Purchase Order”. Then the attack falls apart. The letter does not maintain a proper register for a serious business document. There is, additionally, a nonnative English feel to the body of the email, “we want to make a large quantity of order”. Nonetheless, foreign-based companies also need things. They may not write the best English but they still need business connections. So would the potential victim open the spreadsheet and agree to enable the document’s macros? Possibly. At least the odds of this happening are better than they would be if this email didn’t make it into the inbox. According to the NVISO report, the attackers may be targeting “the medical equipment sector, aluminum sector, facility management and a vendor for custom made press machines.” However, they only managed to see 6 of the phishing emails so it is really impossible to generalize. On the other hand, the researchers disturbingly found that “it appears the threat actor primarily uses legitimate corporate email accounts to initiate the phishing campaign.” In other words, this has all the elements of a major phishing attack and appears to be one that is in the initial stages. So far, they have identified 200 documents, most of which are associated with the countries shown in dark blue below.

The supposition that this attack is still in its formative stages is borne out by one of the latest retrieved documents which is using a legitimate healthcare provider to mask its attack. Note the healthcare provider’s name on the warning.

For the present time, it appears as if this is an information gathering attack. At least that’s the type of malware that has been identified. What bothers me is that this latest attack is posing as a healthcare provider. Healthcare providers are one of the most frequent targets of ransomware attacks. In other words, one has to ask whether this new attack vector is simply a setup for what may become a full scale ransomware attack on the healthcare sector.

Add this to this the following 2017 finding from Accenture, and we have an almost perfect storm in the offing.

A 2019 report in Crime Science makes the overall susceptibility to phishing attacks even clearer. Notice that over 64% of all ransomware attacks were deployed by tricking victims into responding to a phishing email and, among these, most were tricked into downloading and opening an attachment.

For the moment, not much notice is being taken of this new vector in which attachments avoid antivirus and spam filter detection by hiding the code that releases the malware. However, all the statistics shown above seem to point to a potential targeting of the healthcare sector with malware as this sector, statistically, is the most vulnerable and most likely to pay a ransom. It’s a good time for hackers to target healthcare as there happens to be a pandemic going on and healthcare professionals have other things on their minds. Look for this malware to come with some sort of Covid-19 link if it already hasn’t done so. Healthcare is often more willing than most sectors to pay the demanded ransom to get its data back. This is especially true of smaller healthcare providers and hospitals. Ransom payments by victims has increased to 62% this year. This is because the criminals behind these attacks have started to actually supply the decryption tools after the ransom is paid. The victims simply feel they can take the financial hit.

When this vector becomes more widely known, all sorts of bad actors may try using it and not all of them will be deploying ransomware. The best advice is to simply never allow macros to be enabled. Even if the email seems to come from a reliable source and has made it into your inbox, it’s always a good idea to check with the sender before downloading and opening any attachments. Check with a phone call or text message and not by responding to the email. This may all seem obvious but if this was the case, ransomware attacks would not have increased by 66% this year.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s