1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • Cybercriminals are infiltrating our Microsoft Excel spreadsheets

    From TechnologyDaily@1337:1/100 to All on Fri Mar 25 12:45:04 2022
    Cybercriminals are infiltrating our Microsoft Excel spreadsheets now

    Date:
    Fri, 25 Mar 2022 12:27:44 +0000

    Description:
    Russian threat actor FIN7 is using Excel to distribute a data exfiltration RAT.

    FULL STORY ======================================================================

    Experts have uncovered a new cybercrime campaign abusing Excel spreadsheets
    to distribute nasty trojan malware .

    Cybersecurity researchers from Morphisec Labs have spotted the Russian threat actor, FIN7 (aka Carbanak), distributing a small, lightweight Remote Access Trojan (RAT), a variant of JSSLoader, through mailed XLL and XLM files.

    These files carry weaponized add-ins, which allow the attackers to exfiltrate data, establish persistence on the target endpoint , and have the RAT perform auto-updates, among other things. TechRadar needs you!

    We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time, and entrants from the UK and US will have the chance to enter a draw for a 100 Amazon gift card (or equivalent in USD). Thank you for taking part.

    Click here to start the survey in a new window << Flying under the radar

    This particular RAT has been around since December 2020. In this campaign, though, the attackers are trying to distribute an unsigned file, meaning
    Excel will show a clear warning that running the file comes with risks.

    The researchers explain that these XLL files, should the victim enable them, use malicious code found in the xlAutoOpen function, load themselves into memory, after which they download the stage-two malware from a remote server.

    After that, they use an API call to run the process.

    Even though it has the same execution flow, this JSSLoader variant is a bit different from the older ones, as it is capable of renaming all functions and variables, in a bid to stay below the radar of antivirus and other security solutions.

    It also splits the strings into sub-strings and chains them at runtime, to further avoid being detected by string-based YARA rules. Read more

    The tyranny of Microsoft Excel may finally be over


    Beware - that Windows 11 document is probably a scam


    Adapting defenses to stop attacks and breaches

    These new detection-avoiding methods, together with the way the payload is delivered, are enough for the RAT to remain out of sight of most antivirus
    and endpoint protection solutions, Morphisec added.

    FIN7 can use it for unabated lateral movement throughout the compromised network, for days, or even weeks, before being spotted, the company said.

    The threat actor is a relatively creative criminal group, which recently made headlines in January 2022 when it was found to be mailing malicious thumb drives to victims. Here's our rundown of the best firewalls right now

    Via: BleepingComputer



    ======================================================================
    Link to news story: https://www.techradar.com/news/cybercriminals-are-infiltrating-our-microsoft-e xcel-spreadsheets-now/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)