SonicWall Capture Labs Threats Research team has been observing modifications in the techniques being used to distribute ZLoader using MS-Excel file. It all began around Jan 2020, when the first campaign was seen using XLM macro instead of the commonly used VBA macro. Since then, we have observed significant improvements like addition of evasion and sandbox bypassing techniques through XLM macro as already described in our previous blog.

This variant uses OOXML format based MS-Excel file. In the OOXML format based MS-Excel file, usually the XLM macro sheets are stored inside “macrosheets”  folder. The sheets are named either “Sheet<digit>.xml” or “intlsheet<digit>.xml”.  This variant uses a completely different folder and file name to store macro sheet. The macro sheet and folder are named “foto.png” and “bioxr” respectively, as shown in the below image:

Fig-1: XLM MacroSheet

Engines looking for macro sheets specifically inside “macrosheets” folder might fail to identify these files as XLM based Macro files. After careful inspection of the “workbook.xml.rels” file, we found that both the folder and the file name for the macro sheet are misleading as shown below:

Fig-2: workbook.xml.rels

Sample Analysis:

Upon opening the file, the user is displayed instructions to enable macro as shown below:

Fig-3: Excel File

The sample contains two sheets, one is a hidden macro sheet. It has a defined name “Aut0_Open”, which enables macro execution as soon as the file is opened. Font size in the sheet is kept small ( “2”) to inhibit reading of the content.

Fig-4: hidden macro sheet

Upon execution of XLM macro, payload belonging to Zloader family is downloaded and saved as C:\<random>\<random>\ServApi.exe

SonicWall Capture ATP protects against this threat as shown below:

Fig-5: Capture Report

Indicators of Compromise:

SHA256 of malicious Excel Files:

• 12047db782ec585e6c577248607f504869d166077ee33a4d455a66370ea6f9b4
• 189735e1fde7511cd9cedfb317f544971411691192c25ca36147998e492753d7
• 18d1cc06d96c741e0c21c1ceea194f37ca5941264cc0a26d89cba8e09c132485
• 18e6f2976642ca37a4e81358ea8da608b5d34a50b1954d0c3041e902ae23e192
• 18f33627843309fdef93e7edc7c24c856912d19a9622c2647165247e1aa16386
• 1a03a110254fe594cb08e5db44b5dd7d00ebedf5bf6944e2aff7807195b7bff6
• 1b29453e458e36c8b8b17371d4cb254a7cea4f1b035dc2d308e75ca1829766f3
• 20af190130ad3ac40a01df57341929d968616ef717bc9e691308ccaf4f41a683
• 211eb2bbaf1e1dcadd3f10c6c77ff2243f8690b1cd9f9dd5218d48d1b4edd02e
• 224b3303d4f32bc71fa3322d9385d004293459ed74885179178d04c880dbf6f8
• 2335e54b766bf5dc2a9078b995a4878ff350aa39d83ef7eabe77433c5c26e998

Network Connection:

• safedot[.]digital
  • Domain registred on 25-Feb-2021

Files:

• C:\<random>\<random>\ServApi.exe

The SonicWall Capture Labs Threat Research team observed reports of a new variant family of Parasite ransomware actively spreading in the wild.

The Parasite ransomware encrypts the victim’s files with a strong encryption algorithm until the victim pays a fee to get them back.

The ransomware targeting French speaking users and designed for very specific region.

Infection Cycle:

The ransomware adds the following files to the system:

• Malware.exe
  • %App.path%\ [Filename]. Parasite

Once the computer is compromised, the ransomware runs the following commands:

When Parasite is started it will create and assign a unique ID number to the victim then scan all local drives for data files to encrypt.

When encrypting files it will use the AES encryption algorithm and only encrypt those files that match the following extensions:

txt ,doc ,docx ,xls ,xlsx ,ppt ,pptx ,odt ,jpeg ,png ,csv ,sql ,mdb ,sln ,php ,asp ,aspx ,html ,xml ,psd ,rar ,wma ,avi ,wmv ,d3dbsp ,zip ,sie ,sum ,ibank ,qdf ,gdb ,tax ,pkpass ,bkp ,qic ,bkf ,sidn ,sidd ,mddata ,itl ,itdb ,icxs ,hvpl ,hplg ,hkdb ,mdbackup ,syncdb ,gho ,cas ,svg ,map ,wmo ,itm ,fos ,mov ,vdf ,ztmp ,sis ,sid ,ncf ,menu ,layout ,dmp ,blob ,esm ,vcf ,vtf ,dazip ,fpk ,mlx ,iwd ,vpk ,tor ,psk ,rim ,fsh ,ntl ,arch00 ,lvl ,snx ,cfr ,vpp_pc ,lrf ,mcmeta ,vfs0 ,mpqge ,kdb ,dba ,rofl ,hkx ,bar ,upk ,das ,iwi ,litemod ,asset ,forge ,ltx ,bsa ,apk ,sav ,lbf ,slm ,bik ,epk ,rgss3a ,pak ,big ,wallet ,wotreplay ,xxx ,desc ,flv ,css ,pfx  ,wav ,bin ,conf ,ico ,jfif

The ransomware encrypts all the files and appends the [.Parasite] extension onto each encrypted file’s filename.

After encrypting all personal documents, the ransomware shows the following text file containing a message reporting that the computer has been encrypted and to contact its developer for unlock instructions.

The ransomware shows different message for French speaking targets:

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Parasite.RSM (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

Discord is a digital distribution platform geared towards building communities. But malware authors are misusing this as a medium to host malicious applications, these hosted applications can be accessed and downloaded even without having an account on Discord.

While investigating an Android banker, the Sonicwall Capture Labs Research team observed that it was hosted on Discord server cdn.discordapp.com. Further investigations revealed that this server is hosting/communicating (at the time of writing this blog) with a large number of malicious applications. We observed the following types of malicious apps in connection with this server:

• Android apks
• Executables
• Compresses RAR’s

Below is a Virustotal Graph for this observation:

We analyzed few Android apps which share similar functionality and obfuscation measures designed to hide their true functionality from automated security scanners.

In both cases the Main activity mentioned in the AndroidManifest.xml file is not present in the decompiled code of the app. This indicates that most likely a separate dex file might be dropped on the system which contains decrypted code which gets invoked:

Upon execution the apps request for Accessibility Services, until the permission is granted the request screen keeps showing up intermittently:

The malware contains obfuscated code, not providing much information about its functionality:

However when the malware runs on the device, it drops a .json file in the FOLDERNAME. This is a .dex file in reality as indicated by the initial file header:

Upon renaming the file and opening it in a .dex file viewer like Jadx we can see readable code, there is junk code along with legible code. We can finally see the Main Activity class that is specified in the Manifest file which was previously unknown:

The malware is capable of accepting and executing the following commands:

• grabbing_lockpattern
• run_record_audio
• run_socks5
• update_inject
• stop_socks5
• rat_connect
• change_url_connect
• request_permission
• clean_cache
• change_url_recover
• send_mailing_sms
• run_admin_device
• access_notifications
• url
• ussd
• sms_mailing_phonebook
• get_data_logs
• get_all_permission
• grabbing_google_authenticator2
• notification
• grabbing_pass_gmail
• remove_app
• remove_bot
• send_sms
• run_app
• call_forward
• patch_update

This malware is yet another good example that shows the dangers of granting Accessibility Service to an application. If the permissions is not granted a malware may keep requesting for this permission, this is a tell-tale sign that something is not right.

Android malware occupies a small slice among the myriad malicious apps hosted on Discord. There have been conversations about malware being hosted on Discord for a while but the issue still appears to persist.

SonicWall Capture Labs provide protection against this threat with the following signatures:

• AndroidOS.Obfuscated.ST (Trojan)
• AndroidOS.Banker.CM (Trojan)

Indicators of Compromise (IOC’s):

• e8a0b4aa368473a5a0d1183fb79e127b
• 2e87bd0a77bfdf78ff50634b0ec1c7ae

Obfuscation is a commonly used technique by malware authors to render their code unreadable to prevent easy interpretation of the program that might give clues on their intent or behavior. This week, the Sonicwall Capture Labs Research team has analyzed a phishing email attachment that uses morse code to hide malicious scripts and URLs within the file.

Infection Cycle

The malicious file comes as a spam email attachment pretending to be an invoice and uses the following filename:

• <random>_invoice<random>.xlsx.html

It pretends to be an excel spreadsheet and upon execution it displays a fake session timeout error message for Office365 which then requires you to login and type in your password. This login information is sent to a remote server and the user is then redirected to a page with another fake error message.

This html file uses morse code to hide malicious URLs within the file.

It uses javascript to map the alpha-numeric characters to the dots and dashes in morse code. The decoded value is a hex string which further decodes to another nested script which loads another javascript hosted on a remote server.

These two URLs are the main files for this phishing campaign. The first one loads a css file as shown below.

While the second loads the main html page with the icons, images used and fake session time out message display prompting the user to login. This html page shows the remote server where stolen login information are then sent once the user types in his login information.

The remote server tanikawashuntaro dot com appears to be a compromised legitimate website.

We urge our users to always be vigilant and cautious with any unsolicited email and to avoid providing any personal information, particularly if you are not certain of the source.

SonicWall Capture Labs provides protection against this threat via the following signature:

• GAV: Morse.PH (Trojan)