Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

"The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules," researchers from ReversingLabs said in a report published today.
1619687902099.png
 

rndmblk

Level 3
Nov 18, 2020
94
Very good point from the article:

"Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time," the researchers noted.

30 years is a long time to support an old macro technology!
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
In the home environment, one can simply block macros (without alert) in MS Office - this will block both Excel 4.0 and VBA macros.
The Excel 4.0 macros have limited capabilities (as compared to VBA) so they are used to download and (or) run something (malware, LOLBins, scripts, etc.). Such activities can be also prevented when properly blocking child processes and WMI in MS Office.
 

rndmblk

Level 3
Nov 18, 2020
94
Could Defender's Attack Surface Reduction (ASR) rules also protect against these threats?
Yes, there are 7 Office ASR rules, most of which would reduce exposure:
  • Block all Office applications from creating child processes
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication applications from creating child processes
  • Block executable content from email client and webmail
Defence in depth is always preferable so I would also consider where you can disable macros and also use real time antivirus/antimalware
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Yes, there are 7 Office ASR rules, most of which would reduce exposure:
  • Block all Office applications from creating child processes
  • Block execution of potentially obfuscated scripts
  • Block Win32 API calls from Office macro
  • Block Office applications from creating executable content
  • Block Office applications from injecting code into other processes
  • Block Office communication applications from creating child processes
  • Block executable content from email client and webmail
Defence in depth is always preferable so I would also consider where you can disable macros and also use real time antivirus/antimalware
The above ASR rules were related to VBA macros. Only the first rule and the rule "Block process creations originating from PSExec and WMI commands" could mitigate Excel 4.0 macros. Anyway, these two rules currently block all Excel 4.0 malware in the wild.
Recently, Microsoft extended the AMSI support for Excel 4.0 macros, so it is possible that some other ASR rules will apply for Excel 4.0 macros in the near future, too.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top