Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

Cyber Security

Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

“The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules,” researchers from ReversingLabs said in a report published today.

Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause “potentially dangerous code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines.

In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL.

“Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time,” the researchers noted. “Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings.”