The findings come from an evaluation of 160,000 Excel 4.0 paperwork between November 2020 and March 2021, out of which greater than 90% had been categorised as malicious or suspicious.
“The largest danger for the focused corporations and people is the truth that safety options nonetheless have numerous issues with detecting malicious Excel 4.0 paperwork, making most of those slip by typical signature primarily based detections and analyst written YARA guidelines,” researchers from ReversingLabs mentioned in a report published today.
Excel 4.0 macros (XLM), the precursor to Visible Primary for Functions (VBA), is a legacy characteristic integrated in Microsoft Excel for backward compatibility causes. Microsoft warns in its support document that enabling all macros may cause “doubtlessly harmful code” to run.
The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a infamous banking trojan able to stealing banking credentials and different monetary info, whereas additionally gaining worm-like propagation options. Usually unfold by way of weaponized Workplace paperwork, variants of QakBot have been capable of ship different malware payloads, log consumer keystrokes, and even create a backdoor to compromised machines.
In a doc analyzed by ReversingLabs, the malware not solely tricked customers into enabling macros with convincing lures, but additionally got here with embedded recordsdata containing XLM macros that obtain and execute a malicious second-stage payload retrieved from a distant server. One other pattern included a Base64-encoded payload in one of many sheets, which then tried to obtain extra malware from a sketchy URL.
“Regardless that backward compatibility is essential, some issues ought to have a life expectancy and, from a safety perspective, it could most likely be greatest in the event that they had been deprecated sooner or later in time,” the researchers famous. “Price of sustaining 30 yr previous macros needs to be weighed towards the safety dangers utilizing such outdated know-how brings.”