Excel 4.0 malicious macro exploits: What you need to know
Excel 4.0 XLM macros have existed for more than three decades, but they have only recently gained popularity among attackers. Although Microsoft has long recommended VBA macros instead of XLM, many organizations still use the latter to perform critical functions like automating repetitive tasks and loading business data into Excel. Now they have to take Microsoft’s advice seriously as adversaries are finding new ways to weaponize Excel 4.0 macros for delivering additional, more sophisticated malware.
See Infosec IQ in action
What are Excel 4.0 XLM macros?
When Microsoft programmers released Excel 4.0 for Windows 3.0 and 3.1 in 1992, they seeded XLM macros in this Excel version. Through macro worksheets, XML macros allow users to automate functions in Excel 4.0. They are also easy to create: you just need to click “Sheet1” at the bottom of your Excel screen, select “Insert,” choose “MS Excel 4.0 Macro” from the objects list and click “OK.” Taking these steps opens up a special worksheet where you can write your XLM macros.
XLM macros are quite powerful. Although some are as simple as =ALERT(“Hello World”), which displays a dialog box with the Hello World message, others can be configured to allow access to WinAPI, file system and more. Variables in Excel 4.0 macros live through the concept of values in cells.
Old macros, new techniques
At the VB2020 Conference, VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh gave a presentation on how adversaries are leveraging Excel 4.0 macros (also known as XL4 macros) to make malicious spreadsheets more evasive. They also discussed an attack technique where the author sends a malicious XLS file by email that tricks the victim into enabling macros. Once enabled, the attacker can gain access to the network, a perfect opportunity to inject additional malware.
Various commodity malware families, including Databot, Gozi and Trickbot, have used this technique to gain a strong position in a target network. As such, this form of malware leaves the door open for other possibilities.
VMware researchers clustered a plethora of malware samples, analyzing how the technique has evolved over the past years. A total of 15 attack waves were discovered, and researchers compared samples across different waves to learn how threat actors had used advanced obfuscation and evasion techniques. What's fascinating is that the samples' core functionality remained the same; attackers primarily used them to execute a DLL or EXE file.
Timeline of XL4 macro attacks
Here’s a timeline of how the Excel 4.0 macro attacks evolved over the past year.
Mid-February 2020
The first wave of the macro attacks included a malicious Excel 4.0 macro sheet with a suspicious formula sent as an attachment. Upon opening them, users were asked to click the enable editing button, followed by the enable content button, which enabled the macro. The files were usually distributed through spam leveraging social engineering techniques that revolve around current themes like the COVID-19 outbreak to grab people’s attention.
One of the researchers said this attack cluster's most significant feature was all the environment checks that took place. Written in the first three cells of the sheet (cell A1, cell A2 and cell A3), the checks help the malware evade the less advanced automated sandboxes. For instance, the first check requires a user to interact with a message box saying there’s a problem with some content and asking whether they want to try and recover as much as possible. After the environment checks, the malware advances to download a more persistent payload through a web query. Lastly, it checks if the payload download was successful.
End of February 2020
The second attack wave featured some trivial obfuscation strategies that stretched the macro’s sandbox evasion capabilities. The samples triggered more environment checks, evaluating dimensions of workspace along with display size. Plus, the macro sheet was set to “very hidden,” so it wasn’t readily accessible through the Excel UI (as it wasn’t visible in the user’s list of sheets). The user can’t unhide it unless they use a script or intervene manually in a hex editor.
Mid-March 2020
Mid-March saw attackers obfuscating macros with a series of cells that initiate each command from the CHAR (integer) function. The technique allows them to specify strings using the ASCII code. All letters of the payload were written utilizing their corresponding CHAR function, after which the string was concatenated. The resulting macros could access win32 APIs, execute shell commands and perform various other actions desired by threat actors.
Researchers also detected more WinAPI activity, revealing macros began to check certain security settings in the Excel registry. They also discovered a few samples scheduled to be executed on a specific day in a month. "A specific day" being the keyword. Macros that ran on an incorrect day would lead to strings of unintelligible characters.
Mid-May 2020
An improved evasion technique was introduced in mid-May that involved identifying if the malware is being analyzed or debugged. Malware authors achieved this by checking whether the macro is being run in single-step mode, a technique used to debug and step through XL4 macro code. Successful detection of the single-step mode prompted the malware to exit, not giving a potential security researcher any time to observe the results of actions taking place in the macro.
Another interesting thing about this sample was it leveraged the MID function instead of the common CHAR function. The MID function helps extract a substring from a string by delivering an index number for a starting point (along with the length of the text to extract). The aim, according to one of the researchers, was to break obfuscation-related signatures that anticipate CHAR. However, the MID function was detected in malicious VBA macros until that point, not in XLM macros.
June, July 2020
During the summer, malware authors started using even better methods. For instance, they started relying on visual basic script (VBS) for the payload. Further, they checked whether a system was using a 64-bit or 32-bit architecture when downloading the payload. For 64-bit systems, they leveraged two VBS scripts, one of which downloaded the DLL, while the other executed it.
Researchers also spotted another interesting sample that leveraged “powershell.exe” to download and run PowerShell scripts, but as a second-stage payload. It used the same “very hidden” macro sheet but didn’t have any obfuscation or evasion capabilities. The adversaries did this deliberately, knowing that adding too much evasion or obfuscation sometimes makes it easier for detection technologies to detect the malware.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Excel 4.0 macros likely to stick around
Although there was a decline in malware activity by the end of the summer, researchers suggest caution should be taken when using XL4 macros in the enterprise. This comes from the improved obfuscation techniques malware authors have been using to compromise a network. What started as writing code in white font on a white background quickly evolved to leveraging the DIM and CHAR functions for Excel 4.0 attacks. Fortunately, Microsoft has added new tools to anti-malware solutions like Microsoft Defender Antivirus to check what a macro does. Plus, detection tools like Perception Point End to End detection have been updated to identify the new threats.
Sources
VB2020 presentation: Evolution of Excel 4.0 macro weaponization, Palada
Attacker uses tricky technique of Excel 4.0 in Malspam campaign, Quick Heal blog
Excel 4.0 macros — now with twice the bits!, Cybereason
Microsoft: We’re cracking down on Excel macro malware, ZDNet
In this Series
- Excel 4.0 malicious macro exploits: What you need to know
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
- Top 5 ways ransomware is delivered and deployed
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness