Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,609
71,841
Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

"The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report published today.
1619687902099.png
 

rndmblk

Level 3
Nov 18, 2020
93
875
Very good point from the article:

"Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time," the researchers noted.

30 years is a long time to support an old macro technology!
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,884
In the home environment, one can simply block macros (without alert) in MS Office - this will block both Excel 4.0 and VBA macros.
The Excel 4.0 macros have limited capabilities (as compared to VBA) so they are used to download and (or) run something (malware, LOLBins, scripts, etc.). Such activities can be also prevented when properly blocking child processes and WMI in MS Office.
 

rndmblk

Level 3
Nov 18, 2020
93
875
Could Defender's Attack Surface Reduction (ASR) rules also protect against these threats?
Yes, there are 7 Office ASR rules, most of which would reduce exposure:
  • Block all Office applications from creating child processes
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication applications from creating child processes
  • Block executable content from email client and webmail
Defence in depth is always preferable so I would also consider where you can disable macros and also use real time antivirus/antimalware
 

Andy Ful

Level 73
Verified
Trusted
Developer
Dec 23, 2014
6,284
42,884
Yes, there are 7 Office ASR rules, most of which would reduce exposure:
  • Block all Office applications from creating child processes
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication applications from creating child processes
  • Block executable content from email client and webmail
Defence in depth is always preferable so I would also consider where you can disable macros and also use real time antivirus/antimalware
The above ASR rules were related to VBA macros. Only the first rule and the rule "Block process creations originating from PSExec and WMI commands" could mitigate Excel 4.0 macros. Anyway, these two rules currently block all Excel 4.0 malware in the wild.
Recently, Microsoft extended the AMSI support for Excel 4.0 macros, so it is possible that some other ASR rules will apply for Excel 4.0 macros in the near future, too.
 
Last edited:
Top