Hackers Widely Abusing Excel 4.0 Macro to Distribute Malware

Excel introduced Excel 4.0 Macros (XLM) feature in 1992. Since then, this style has been commonly used to abuse Visual Basic for Applications (VBA). In 2020, it became popular amongst attackers as this macro is challenging to catch in detection; thus, many cybersecurity providers struggle to defend against Excel 4 macro-based attacks. This allows attackers to explore deeper into XLM macros and abuse their legit functions to compromise victims.

Since the outbreak of COVID-19, there has been a new wave of multiple malware attacks abusing the Excel 4.0 macro to create infections worldwide. XLM is very powerful and is widely used by many organizations and users alike. Unlike traditional macro, XML macros are hard to detect in AV/EDR, thus allowing attackers to infect many targeted users.

In recent times we have observed multiple malware families like Qbot, Trickbot, IcedID, Bazzerloader, ZLoader, Ramcos RAT, FlawedAmmyy RAT, etc., primarily use Excel 4 macros to deliver their primary payloads such as EXE or DLL.

All about Excel 4.0 Macro and it’s commonly used functions

The Excel 4.0 macros (XLM) is a 30-year-old feature allowing users to enter various commands into cells and execute them to perform a task. Popular even today, it is used for automating repetitive tasks. Debugging XLM is not always possible as compared to traditional macros.

Excel 4.0 macro most commonly used functions – EXEC, EXECUTE, FORMULA, GOTO, RUN, STEP.

How Excel 4.0 Macro is Abused by Hackers?

Excel 4.0 macro is a legitimate component of Microsoft Excel which is likely to never get disabled, as it is regularly used for benign business purposes. For example, the common SUM function is used to obtain the sum of a range of cells.

Macros of this type are commonly referred to as “formulas.” This technique has been effective because although it is an old feature, security vendors may not have yet devised detection techniques for this type of attack.

Techniques & Malwares used by Hackers

Multiple techniques are used by hackers – hidden & very hidden sheet, use of white font color, multiple sheets use for scattering macro, hide column, Use of benign DLL’s.

Malware’s distributed to abuse Excel 4.0 macro are –

1. Remcos RAT

Remcos is another RAT (Remote Administration Tool) that was first discovered in 2016.. We discovered that the Remcos RAT is being distributed through malicious Excel 4.0, which are most probably attached to SPAM emails.

2. FlawedAmmyy RAT

While analyzing another Excel 4.0 macro sample, we found another RAT, XLS sample having multiple hidden sheets. Even the name of the sheet was hidden. By using the BIFF plugin, hackers extract the BIFF records from the hidden workbook stream.

3. QBot Malware Family

Qbot is from a banking Trojan family active since 2007. This year we have seen Qbot being used heavily in XLM macros. While analyzing different samples, we discovered mainly three techniques used by this malware family –  

  • Hiding Multiple Sheets
  • Use of white font color
  • Scattered macros in different sheets

4. Bazarloader Family

In February 2021, the Bazarloader family tricked victims with fake calls where the threat actors asked to download malicious excel attachments from a dummy website. This excel attachment used Excel 4 macros to hide columns containing the macro code. Also, DLL data was already present in the Excel file in base64 format rather than downloading from other resources.

5. Zloader Family

At the beginning of 2021, Zloader was found using the “DOCM” file to create a password-protected Excel file. When the victim closes the document file, VBA macro code gets executed, and the Excel file is downloaded from ”hxxps[:]//feelingfit-always[.]com/1[.]php”. For full analysis, read our blog.

6. IcedID

IcedID – also known as BokBot, is a banking trojan and acts as a dropper for other malware. While analyzing multiple samples of this family, we came to know that it shares some similarities with QBot techniques like hiding multiple sheets, scattered macros, and white font color.

Detection Techniques

For these type of samples, traditional or string-based detection are possible by combining a set of benign functions and obfuscated data as it is available on the raw file. However, attackers try their best to evade static detection. So, string-based may not fully block these types of files. Also, in a very hidden Excel sheet, content is not visible. Non-traditional methods like behavior-based detection and NGAV (Next Generation Anti-Virus) can be helpful in such scenarios.

Conclusion

From 2020, adversaries started to explore XLM macro, and in no time, this technique gained popularity because of the lack of certain security support. In the future, we might see hackers use more XLM macros to distribute malware.

Full technical details can be found on our white paper

Author:

Prashant Tilekar.
Quick Heal – India.
AVAR 2021 Virtual Speaker
prashant.tilekar@quickheal.com

Anjali Raut.
Quick Heal – India.
AVAR 2021 Virtual Speaker
anjali.raut@quickheal.com

Comments are closed.

X