Security researchers have provided us with a glimpse of a new attack that uses malicious Excel spreadsheets. This way, cyber attackers not only try to spread malware but also bypass security checks. The usage of Excel spreadsheets here raises concerns. By using Excel spreadsheets, all hackers are trying to do is trick security systems into believing those are legit files.
Excel spreadsheets spread malware
In July, security researchers observed the spread of ‘maldocs.’ They are malicious Excel documents delivering malware through VBA-activated spreadsheets. Well, malicious VBA code and malware payloads aren’t surprising anymore.
In the past, we have seen instances where attackers tried to cash in on the fear of COVID-19 spread across affected regions, courtesy of similar methods. In one incident, hackers were caught using Coronavirus scare to target e-mail addresses and install malware using an infected MS-Word document.
What intrigued security researchers the most was the way those Excel documents and spreadsheets were created. Believe it or not, attackers did not use Microsoft Office to create those Macro-laden Excel workbooks that reduced the risk of detection to a significant extent.
In a blog post, NVISO said:
“The creators of the malicious Excel documents used a technique that allows them to create macro-laden Excel workbooks, without actually using Microsoft Office. As a side effect of this particular way of working, the detection rate for these documents is typically lower than for standard maldocs.”
Instead of Microsoft Office Excel, attackers relied on the EPPlus software to create those malicious Microsoft Office. This was the initial step to bypass certain security checks. Security researchers also believe not more than one threat actor is responsible for the spread of these malicious documents.
What was the motive behind these attacks?
From what researchers have observed so far, the malicious payloads are responsible for stealing private information, harvesting login passwords from web browser applications and email clients, among other issues.