Threat Actors Weaponize Excel Files To Attack Windows Machines

Attackers are using malicious Excel files with VBA macros to deploy DLLs and ultimately install Cobalt Strike on compromised Windows machines, which use obfuscation and target specific processes to avoid detection by antivirus software. 

The attacks appear to target Ukrainian systems and leverage geopolitical themes as lures,  highlighting a trend of increasingly complex and frequent attacks, especially during times of tension. 

Attack flow

A malicious Excel document targets Ukrainian users by exploiting disabled macros, where the document displays a fake security warning urging users to enable macros, which supposedly unlocks a military budget calculation sheet. Once enabled, a VBA macro deploys a HEX-encoded DLL downloader.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

The macro decodes the downloader, saves it to a hidden folder, and creates a shortcut that uses regsvr32 to execute the downloaded DLL, which aims to bypass string detection and establish malicious functionality on the compromised system. 

Excel document after enabling VBA

The malware downloader, obfuscated by ConfuserEx, first checks for running processes associated with analysis tools or antivirus software and terminates itself if any are found. 

It then retrieves the next stage payload from a geo-restricted URL, and if the device is in Ukraine, it downloads the payload (an SVG file), decodes it with a hardcoded key using XOR, and saves it to the TEMP folder. 

It executes the decoded payload (a.NET DLL) using rundll32.exe and deletes it to avoid detection.

The DLL decrypts another payload using RC4 and writes it to a specific location. It also adds a registry key to ensure persistence and launches the newly written file. 

Execute the “ResetEngine.dll”

ResetEngine.dll, a core component for malicious activity, uses NtDelayExecution to bypass sandbox detection, searches for processes, attempts to terminate parent processes to prevent debugging, and then decrypts the final payload using an AES algorithm

Finally, ResetEngine.dll injects the decrypted payload into itself and leverages various Windows APIs to execute the Cobalt Strike malware, including GetCurrentProcessId, OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread, and WaitForSingleObject. 

Writing Cobalt Strike into memory

Malware researchers at Fortinet discovered a multi-stage attack campaign targeting Ukraine.

The attack leverages VBA macros with encoded configuration strings to download malicious payloads, and the configuration is XOR-encoded and contains Cobalt Strike C2 server URLs. 

The attackers use location-based checks to evade detection and deploy a DLL injector that delays execution and terminates parent processes to bypass sandboxing and anti-debugging, which leads to the deployment of Cobalt Strike beacons for further compromise. 

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

12 hours ago

Python NodeStealer: Targeting Facebook Business Accounts to Harvest Login Credentials

The Python-based NodeStealer, a sophisticated info-stealer, has evolved to target new information and employ advanced…

12 hours ago

XSS Vulnerability in Bing.com Let Attackers Send Crafted Malicious Requests

A significant XSS vulnerability was recently uncovered in Microsoft’s Bing.com, potentially allowing attackers to execute…

15 hours ago

Meta Removed 2 Million Account Linked to Malicious Activities

 Meta has announced the removal of over 2 million accounts connected to malicious activities, including…

18 hours ago

Veritas Enterprise Vault Vulnerabilities Lets Attackers Execute Arbitrary Code Remotely

Critical security vulnerability has been identified in Veritas Enterprise Vault, a widely-used archiving and content…

19 hours ago

7-Zip RCE Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been disclosed in the popular file archiving tool 7-Zip, allowing…

19 hours ago