FortiGuard Labs tracked a campaign using malicious Excel VBA macros (OLE Compound File) to cryptojack Windows systems for Monero. The attackers deliver a .NET payload, load a miner via process hollowing, and maintain persistence through Task Scheduler while exfiltrating data to a C2 server. #Monero #XMRig #FortiGuard
Keypoints
- Three Spanish-targeted Excel documents (Pago_detalles.xls, makbuzu.xls, Pago.xls) contain malicious VBA macros that auto-execute when opened.
- The macro downloads a loader (templates.exe/GHJFRGUNL.exe) from a remote host and executes it via an auto-run routine.
- The downloaded .NET loader is obfuscated (ConfuserEx) and loads a compressed DLL resource that becomes the payload.
-
MITRE Techniques
- [T1059.005] Visual Basic – The VBA macro auto-executes via Workbook_Open()
- [T1105] Ingress Tool Transfer – It downloads a file from a remote URL and runs the downloaded payload. Quote: “It downloads a file from hxxps[:]//www[.]tractorandinas[.]com/wocontent/templates.exe, saves it into the system’s Templates folder, and renames it ‘GHJFRGUNL.exe’.”
- [T1027] Obfuscated/Compressed Files and Information – The downloaded file is obfuscated and protected by ConfuserEx; “thoroughly obfuscated, including the class name, variable names, obfuscated workflow, and more.”
- [T1053.005] Scheduled Task – The loader copies the EXE to AppData and adds it to the Task Scheduler to run at startup and every two minutes. Quote: “copies the Exe file into the “%AppData%” folder and adds it to the system Task Scheduler.”
- [T1112] Modify Registry – The malware saves the downloaded files in the system registry as part of its configuration and persistence flow. Quote: “The downloaded files from Onedriver are saved in the system registry.”
- [T1082] System Information Discovery – It gathers basic information from the victim’s device to send to C2. Quote: “gathers basic information from the victim’s device, encrypts the collected information, and sends it to its C2 server.”
- [T1055.012] Process Hollowing – The miner is injected into a suspended process via process hollowing with CreateProcess flags. Quote: “It uses a bunch of key Windows APIs, such as VirtualAlloc(), GetThreadContext(), WriteProcessMemory(), SetThreadContext(), and ResumeThread(), to deploy the “xmrig.exe” into the newly-created “AddInProcess.exe” process.”
- [T1041] Exfiltration Over C2 Channel – Collected data is encrypted and sent to the C2 server. Quote: “encrypts the collected information, and sends it to its C2 server.”
- [T1574.001] Hijack Execution Flow / DLL Injection – The loader loads and executes a .NET module that injects mining code into another process, using a memory-resident DLL chain. Quote: “the payload module proceeds to dynamically load ‘ClassLibrary1.dll’… and the function Plugin.Plugin.Run() is the entry point function for process hollowing.”
- [T1600] Known Non-Specific Defense Evasion – Anti-tamper checks crash the system if modifications are detected, hindering analysis. Quote: “It also includes functions to perform anti-tamper checks during the run time. These cause the system to crash if it detects any modifications made to the module.”
Indicators of Compromise
- [URLs] – hxxps://www.tractorandinas.com/wocontent/templates.exe, hxxps://onedrive.live.com/download?cid=F32323276F5346E9&resid=F32323276F5346E9%21132&authkey=AJUNOnV3DDTyOJw; hxxps://onedrive.live.com/download?cid=F32323276F5346E9&resid=F32323276F5346E9%21131&authkey=ANCBF29YwxfXxd4
- [C2 Server] – dnuocc.com:9077, dnuocc.com:9078
- [SHA-256] – Pago.xls: EF02701E2196F54B5858BCB67A41D34FC9A5F248EFDAE181C701C200950D638D; makbuzu.xls: 68346D23F359A27744B49D6EA9BD229F2929D1CEE057670D2BA73545C0BA427D; Pago_detalles.xls: 417AE2D5F5111DDF80B63C443E14B70EC2052B3E64A35940C9F81F262F7E526E; templates.exe / GHJFRGUNL.exe: 8A2194A75F972890729328A15A01B34E327A0145A6121098315AF9ECBF86ED67
- [Sample Type] – The sample set includes Pago.xls, makbuzu.xls, Pago_detalles.xls, templates.exe, GHJFRGUNL.exe