Threat Research

[Caution] Virus/XLS Xanpei Infecting Normal Excel Files – ASEC BLOG

Securonix

The ASEC analysis details Excel-based malware campaigns that infect normal Excel files via VBA and can also act as downloaders or perform DNS spoofing. The malware drops components into the Excel startup path to auto-execute on Excel launch, enabling additional malicious actions such as downloading miners or modifying host DNS mappings.
#VirusX97M.Downloader #Virus/MSExcel.Xanpei

Keypoints

  • The threat spreads when an infected Excel file is opened, leveraging embedded VBA code to drop a malicious file into the Excel startup folder.
  • The malware uses the Workbook_Open() event to auto-execute and propagate, enabling persistent infection across opened Excel documents.
  • Two main malware types are described: Downloader-type (Virus/X97M.Downloader) and DNS Spoofing-type (Virus/MSExcel.Xanpei).
  • Downloader-type malware creates a booster file (boosting.xls) and downloads miners from a C2 via specific URLs, with checks on the startup path to ensure persistence.
  • DNS Spoofing-type uses a differently named drop file (accerlate.xls) and alters the host/file mappings to redirect traffic, targeting DNS resolution.
  • Indicators of compromise include specific MD5 hashes, file names, and C2 endpoints, with detection by AhnLab cataloging several variants and file names.

MITRE Techniques

  • [T1059.005] Visual Basic – Uses malicious VBA in Excel and runs via the Workbook_Open() procedure that is automatically run. ‘The malicious code inside the file performs malicious activities by calling the “d2p” procedure … in the Workbook_Open() procedure that is automatically run when an event for viewing a workbook occurs.’
  • [T1547.001] Boot or Logon Autostart Execution: Startup Folder – Drops malicious components into the Excel startup path and auto-executes on Excel launch. ‘the file containing virus VBA code is dropped to Excel startup path. And when any Excel file is opened, the malicious file dropped in Excel startup path is automatically executed to infect with virus…’
  • [T1105] Ingress Tool Transfer – Downloader-type malware downloads and runs Miner-related executables from the C2 after infection. ‘Downloader-type malware downloads and runs Miner-related executables from the C2 after infection’ and C2 URLs are used.
  • [T1071.004] Application Layer Protocol: DNS – DNS Spoofing variant uses host file modifications to redirect traffic toward attacker infrastructure. ‘…DNS Spoofing by changing the host file’ and the DNS C2 endpoint is provided.

Indicators of Compromise

  • [File] boosting.xls – infection persistence file created in Excel startup path
  • [File] accerlate.xls – drop file for DNS Spoofing variant
  • [MD5] f8886b0d734c5ddcccd2a0d57d383637 – Downloader malware hash
  • [MD5] 97841a3bf7ffec57a2586552b05c0ec5 – Xanpei DNS Spoofing malware hash
  • [URL] hxxp://45.78.21.150/boost/boosting.exe – Downloader payload download
  • [URL] hxxp://45.78.21.150/boost/config.txt – Downloader payload configuration
  • [IP] 45.78.21.150 – C2 hosting for downloader and DNS-related activity
  • [File] boosting.xls – startup-persisted downloader component
  • [Host/file] %AppData%MicrosoftExcelXLSTARTboosting.xls – path used for infection persistence

Read more: https://asec.ahnlab.com/en/33630/