Cybercriminals Broadly Abusing Excel 4.0 Macro to Distribute Malware

Menace actors are more and more adopting Excel 4.0 documents as an preliminary stage vector to distribute malware akin to ZLoader and Quakbot, in response to new analysis.

The findings come from an evaluation of 160,000 Excel 4.0 paperwork between November 2020 and March 2021, out of which greater than 90% have been labeled as malicious or suspicious.

password auditor

“The most important threat for the focused corporations and people is the truth that safety options nonetheless have plenty of issues with detecting malicious Excel 4.0 paperwork, making most of those slip by typical signature based mostly detections and analyst written YARA guidelines,” researchers from ReversingLabs stated in a report published today.

Excel 4.0 macros (XLM), the precursor to Visible Primary for Purposes (VBA), is a legacy function integrated in Microsoft Excel for backward compatibility causes. Microsoft warns in its support document that enabling all macros may cause “probably harmful code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a infamous banking trojan able to stealing banking credentials and different monetary data, whereas additionally gaining worm-like propagation options. Usually unfold by way of weaponized Workplace paperwork, variants of QakBot have been capable of ship different malware payloads, log person keystrokes, and even create a backdoor to compromised machines.

password auditor

In a doc analyzed by ReversingLabs, the malware not solely tricked customers into enabling macros with convincing lures, but in addition got here with embedded information containing XLM macros that obtain and execute a malicious second-stage payload retrieved from a distant server. One other pattern included a Base64-encoded payload in one of many sheets, which then tried to obtain extra malware from a sketchy URL.

“Although backward compatibility is essential, some issues ought to have a life expectancy and, from a safety perspective, it might most likely be greatest in the event that they have been deprecated in some unspecified time in the future in time,” the researchers famous. “Value of sustaining 30 yr outdated macros must be weighed in opposition to the safety dangers utilizing such outdated expertise brings.”

Source link