Search the Community
Showing results for tags 'excel macros'.
mood posted a topic in Security & Privacy NewsCybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research. The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious. "The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report published today. Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause "potentially dangerous code" to run. The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines. In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL. "Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time," the researchers noted. "Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings." Source: Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware
mood posted a topic in Security & Privacy NewsMicrosoft: We're cracking down on malware that uses Excel macros A new antivirus and Office 365 integration from Microsoft allows for scanning malicious macro scripts written in XLM at runtime. Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. Just last month, Ukraine accused Russian government spies of uploading documents with malicious macros to a Ukrainian government document-sharing site. And amid the first wave of the COVID-19 pandemic, Microsoft warned of emails containing Excel files with malicious macros. Microsoft has been using an integration between its Antimalware Scan Interface (AMSI) and Office 365 to knock out macro malware for years, but its successful efforts to take out macro scripts written in Visual Basic for Applications (VBA) ended up pushing attackers to an older macro language called XLM, which came with Excel 4.0 in 1992. Now Microsoft is expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 XLM macros at runtime, bringing AMSI in line with VBA. AMSI allows applications to integrate with any antivirus on a Windows machine to enable the antivirus to detect and block a range of malicious scripts in Office documents. Microsoft notes its Defender anti-malware is using this integration to detect and block XLM-based malware and is encouraging other anti-malware providers to adopt it, too. Although XLM was superseded by VBA in 1993, XLM is still used by some customers and so it remains supported in Excel. "While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands," explain Microsoft's security teams. The arrival of AMSI's VBA runtime scan in 2018 "effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny," says Microsoft. "Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM," it continues. If the antivirus detects a malicious XLM macro, the macro won't execute and Excel is terminated, thus blocking the attack. Runtime inspection of XLM macros is now available in Microsoft Excel and is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users. Microsoft Source: Microsoft: We're cracking down on malware that uses Excel macros