A malicious spreadsheet has been discovered that builds a PowerShell*command from individual pixels in a downloaded image of Mario from Super Mario Bros. When executed, this command will download and install*malware such as the GandCrab Ransomware*and other malware.
This attack works when recipients receive an email targeting people from Italy that pretends to be payment notices.
Example Spam Email
These emails contain an attachment with names similar to "F.DOC.2019 A 259 SPA.xls" that when opened tell the user to Enable Content in order to properly view the document.
Malicious spreadsheet attachment
Once the content is enabled, its macros will be triggered that check if the computer is configured to use the Italy region. If not, it will exit the spreadsheet and nothing else happens.
Macro checking if computer is in Italy
If they are located in Italy, though, the following image of Mario is downloaded. The image below has been slightly modified so that it cannot be used for malicious purposes.
Download image of Mario
According to researchers from Bromium who analyzed this attack, after the image is downloaded the script will extract various pixels from the image to reconstruct a PowerShell command, which will then be executed.
"The above code is finding the next level of code from the blue and green channel from pixels in a small region of the image," stated Bromium's research. "The lower bits of each pixel are used as adjustments to these and yield minimal differences to the perceived image. Running this*presents yet more heavily obfuscated PowerShell"
This PowerShell command will download malware from a remote site, which then downloads further malware such as the GandCrab*Ransomware.
GandCrab Ransom Note
Steganographic*attacks are not new and are being used more often to avoid detection by security programs. Just recently a*malvertising campaign was discovered by Malwarebytes that was utilizing steganography to install a payload hidden in advertising images.
As always, it is is very important to be careful when it comes to attachments as they are a heavily used method to distribute malware. To be safe, always scan attachments you receive before you open them and be doubly suspicious*if they contain macros that need to be enabled to properly view the document.