True North Networks Blog
Excel Macros Bypass Your Filters and Slip in Malware Payloads
Researchers at Lastline warn that attackers are increasingly utilizing Excel 4[.]0 macros to deliver malware while avoiding detection by security products. Excel 4[.]0 (XL4) macros were introduced in 1992, one year before Excel started using the VBA macros that are still widely used today. However, modern versions of Microsoft Office still support XL4 macros, and attackers have realized that many security vendors haven’t placed enough focus on these macros. The researchers have observed thousands of malicious email attachments using this method since the beginning of February.
“We found that roughly every 1-2 weeks, a new wave of samples emerged, each more evasive and sophisticated than the last,” they write. “Each of these waves appeared to build on its predecessor, extending its functionality by introducing new techniques on top of what already was being used. The size of these clusters suggest that these samples are being generated with some sort of toolkit or document generator, as these samples resemble one another too closely to not be related.”
The researchers explain that both defenders and attackers are still grappling with the possibilities presented by XL4 macros.
“This technique will likely remain relevant, and join its successor (i.e., VBA macros) as a widely used technique to weaponize document files,” the researchers write. “This technique does not rely on a bug, it is not an exploit, but it simply abuses legitimate Excel functionality. These macros can be set to auto-execute, and run as soon as a workbook is opened if macros are enabled. As this is somewhat uncharted territory, malware authors and researchers are still exploring the depths of possibilities and capabilities of weaponizing this attack technique.”
Lastline’s researchers conclude that this problem isn’t going away any time soon, and security vendors are still playing catch-up.
“Excel 4[.]0 macros continue to prove their value to attackers, providing a reliable method to get their code to run on a target,” they write. “In many environments, Excel worksheets with macros are used too heavily for legitimate business purposes to disable or blacklist, thus analysts and security vendors will have to get used to consistently updating tooling and signatures as attacks continue to evolve. Excel 4[.]0 macros provide a near endless list of possibilities for malware authors and are evolving, becoming more sophisticated each day.”
Malicious macros have been one of the leading causes of malware infections for many years, and attackers continue to use this method because it still works. New-school security awareness training can stop these attacks in their tracks by teaching employees the risks of enabling macros in a document.