Author: Victor Sandin
TLP: WHITE
From 13 to 14 December, Infoblox observed a spam email campaign distributing a trojan known as Abracadabra1 via an encrypted Microsoft Excel spreadsheet (XLS) with malicious macros. In this campaign, threat actor(s) used an email subject referencing an overdue invoice to lure users into opening the malicious attachment.
Abracadabra is a malware variant that was first discovered in April 2020. Threat actors deliver this malware as an encrypted Excel file that when opened, automatically begins decryption once Excel uses the embedded default password, VelvetSweatshop.2 This method of distribution allows the malware to bypass signature-based antivirus detectors because Excel does not decrypt the payload until the user opens the file.
Abracadabra’s capabilities include maintaining persistence, process hooking and communicating with its command and control (C&C) server to infect victims with malware.
In this campaign, the threat actors used the sender address sales@webmail-expert[.]com. The subject line (Overdue Invoice) and attached XLS file (Overdue Invoice.xls) reflect a lure theme that is common in malspam campaigns.
Infoblox’s full report on this campaign will be available soon on our Threat Intelligence Reports page.
Endnotes
- https://www.helpnetsecurity.com/2020/09/25/malware-detections-q2-2020/
- https://meindertjan.com/2012/08/22/microsoft-offic-and-its-velvetsweatshop-password-protected-files/
