Cybersecurity researchers have recently uncovered a sophisticated phishing email campaign that targets unsuspecting users by disguising a malicious executable as an Excel file. The attackers behind this campaign employ various obfuscation techniques to evade detection and compromise systems.
The attack begins with a phishing email containing a zip attachment that appears to be a harmless Excel spreadsheet. However, the zip file actually contains a single executable file disguised using Left-To-Right Override characters (LTRO) to make it look like an Excel file. When users open the attachment, they unknowingly launch the malware, believing it to be a legitimate document.
The malicious executable, a small file compiled with Visual Studio 2015, heavily utilizes XOR encoding to obfuscate its strings and embedded files. This encryption makes it difficult for security analysts to conduct static analysis and identify the true nature of the payload. Additionally, the executable drops VBScript payloads along with a legitimate Excel file, further adding to the deception.
Upon execution, the malware dropper writes several files to the C:\ProgramData directory, a common location for malware due to its hidden nature and write permissions. These files, including 20240416.xlsx and 3156.vbs, are encoded with XOR to hide their content, making it challenging to analyze them.
The attack involves a multi-stage process that transitions from binary execution to a VBScript stage. The core malicious functionality lies in the VBScript execution, which creates scheduled tasks disguised as legitimate system processes to achieve persistence on the infected system. The script also downloads additional malicious payloads and creates temporary VBScript files to bypass execution policies and run PowerShell scripts using various obfuscated techniques.
The attackers leverage scheduled tasks and VBScripts to execute PowerShell scripts every minute, facilitating the download of additional malicious files from Dropbox and Google Drive. The PowerShell scripts are designed to download compressed binaries and execute them in memory to establish a connection with the attackers’ command and control (C2) server at a predefined IP and port.
This sophisticated attack highlights the evolving tactics used by cybercriminals to evade detection and compromise systems. Organizations and users are advised to remain vigilant against phishing emails and ensure that they have robust cybersecurity measures in place to protect against such threats.
In conclusion, the phishing email campaign that disguises a malicious executable as an Excel file is a stark reminder of the ongoing cybersecurity threats faced by individuals and organizations. By employing advanced obfuscation techniques and multi-stage attacks, cybercriminals continue to evolve their tactics to bypass security defenses and carry out malicious activities. It is essential for users to stay informed about these threats and take proactive steps to protect their systems and data from such attacks.