Password “8861” Used in Targeted Attacks

Symantec has continuously observed targeted attacks in the wild since around mid-July that utilize password-protection of malicious Excel spreadsheet files. Coincidentally, all of the samples that we have analyzed so far use the 4-digit password “8861”, which is provided within the body of the email containing the Excel file attachment.  So why “8861”, you may ask? I couldn’t figure out if it has any meaning, but if someone out there is aware of the significance of this number, please send us a note. The name of the file, the content of the spreadsheet, and the malware that is dropped onto the computer all vary from sample to sample.

This is not the first time that passwords have been used for targeted attacks. In fact, back in December 2011, I blogged about document files using the same tactic. However, I cannot recall any attacks that have continuously used the same password over and over to target a variety of organizations around the globe.

The purpose of the attacker using the password is most likely to enable malware to evade detection, whether on the gateway or on the desktop, since the password feature encrypts the files. It may also make security researchers’ work or automatic analysis difficult since the password is required to decrypt the file before investigation can be performed. The usage of the password might also make the recipients feel safe about the file as passwords are generally used for security measures. Let’s think about it for a moment. The password for the attached Excel spreadsheet is given in the email that contains the actual attachment. Typically, passwords are communicated in a different form or at least in a separate email—otherwise the password protection of the file is meaningless.

The attacks themselves are no different from typical targeted attacks except for the use of the password. Although scanning the typical password-protected file is not possible, security products can still prevent infection by detecting the dropped or downloaded files just like with other types of targeted attacks. With the implementation of multi-layered defense, one should not be in more danger than someone being attacked by typical targeted attacks.

It is now more common to see password-protected malware attached to emails, so users need to watch out not only for Excel files, but any type of files with passwords that are attached to unsolicited emails. The Excel spreadsheet files discussed in this blog are detected as Trojan.Mdropper and the dropped files include: Trojan Horse, Backdoor.Darkmoon, and Backdoor.Trojan.