Hackers have updated the age-old Excel malware attack technique with a new passwordless twist. Researchers have identified a new method that no longer requires victims to enter a password to open a danger document, more readily exposing them to potential malware infection.
Researchers from security firm Trustwave said they discovered a new malspam campaign that sends Excel 4.0 xls 97-2003 files with a compromised macro in email messages. The ploy is predictable and attempt to dupe users with themes ranging from fake invoices to COVID-19 related lures.
In past campaigns, this type of attack uses a password-protected Excel 4.0 document. The message body contains a password that attackers use to tempt targets with to open the Excel document. The idea is, a password protected Excel document is sent encrypted using Microsoft Enhanced Cryptographic Provider v1.0. The encryption layer often allows the malicious email to slip past email defenses. The document itself contains Excel 4.0 Macro sheets – one of which harbors a malicious macro.
The updated technique maintains the encrypted Excel document. It also still requires user interaction – in that users must still be tricked into opening the Excel document from inside the phishing email. The difference is, when a victim opens the password-protected document, hackers have devised a way that opens the encrypted and password-protected document without requiring the physical input of a password.
According to Trustwave researcher Diana Lopera, in a
blog post outlining the discovery posted Friday, “A password has been applied to the Excel files, which used the Microsoft Enhanced Cryptographic Provider v1.0 algorithm to encrypt the attachments.”
Next, she explains, “Password protected documents can only be opened with the correct password as this is the key needed in the decryption process… Excel first attempts to open a password protected Excel file using [a] default password ‘VelvetSweatshop’ in read-only mode.”
In the background, the researchers said, the Excel document is opened using the pre-determined default password. “Hence, no password input was required from the user nor was a warning from the application prompted. The content of the XLS files were immediately displayed.”
