Colin Mc Hugo

0 %
Colin Mc Hugo
Security Engineer Manager & CEO at Quantum Infinite Solutions Group Ltd.
  • Residence:
  • County:
  • Country:
Cyber Security Incident Response
Management & Architecture of Cyber Security Teams
Solutions & Coaching
  • Cyber Security Incident Response
  • Management & Architecture of Cyber Security Teams
  • Solutions
  • Training & Coaching

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

April 29, 2021

Menace actors are more and more adopting Excel 4.0 documents as an preliminary stage vector to distribute malware equivalent to ZLoader and Quakbot, in accordance with new analysis.

The findings come from an evaluation of 160,000 Excel 4.0 paperwork between November 2020 and March 2021, out of which greater than 90% had been categorised as malicious or suspicious.

password auditor

“The largest danger for the focused corporations and people is the truth that safety options nonetheless have numerous issues with detecting malicious Excel 4.0 paperwork, making most of those slip by typical signature primarily based detections and analyst written YARA guidelines,” researchers from ReversingLabs mentioned in a report published today.

Excel 4.0 macros (XLM), the precursor to Visible Primary for Functions (VBA), is a legacy characteristic integrated in Microsoft Excel for backward compatibility causes. Microsoft warns in its support document that enabling all macros may cause “doubtlessly harmful code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a infamous banking trojan able to stealing banking credentials and different monetary info, whereas additionally gaining worm-like propagation options. Usually unfold by way of weaponized Workplace paperwork, variants of QakBot have been capable of ship different malware payloads, log consumer keystrokes, and even create a backdoor to compromised machines.

password auditor

In a doc analyzed by ReversingLabs, the malware not solely tricked customers into enabling macros with convincing lures, but additionally got here with embedded recordsdata containing XLM macros that obtain and execute a malicious second-stage payload retrieved from a distant server. One other pattern included a Base64-encoded payload in one of many sheets, which then tried to obtain extra malware from a sketchy URL.

“Regardless that backward compatibility is essential, some issues ought to have a life expectancy and, from a safety perspective, it could most likely be greatest in the event that they had been deprecated sooner or later in time,” the researchers famous. “Price of sustaining 30 yr previous macros needs to be weighed towards the safety dangers utilizing such outdated know-how brings.”

Posted in SecurityTags:
Write a comment