Abusing Excel 4.0 Macro to Distribute Malware

Prashant Tilekar, Anjali Raut

Quick Heal Technologies

Abstract:

The Excel 4.0 macros (XLM) feature was introduced in Excel version 4.0 back in 1992. This style of macro seen early in the time also commonly abused Visual Basic for Application (VBA) . Since 2020, adversaries started exploring excel 4 (XLM) macros and then it is gaining popularity day by day among attackers and security researchers. This type of macro difficult to caught in detection thus many cyber security provider companies still having hard time to defend against it. This gives opportunity to attackers to look deeper into XLM macros and abusing its legit functions to compromise victims.

Since the outbreak of COVID-19, we’ve seen a new wave of multiple malware attacks abusing the Excel 4 macro to create infections all over the world. XLM is very powerful and it is used widely by many organizations and users alike. Attackers know this, and they have been abusing the XLM macros to easily infect the unsuspecting users. Additionally, it is complex to detect in AV/EDR unlike traditional macros.

In this presentation, we will cover our research on the Excel 4 macros, and comprehensive analysis of different malware families which primarily use Excel 4 macros to deliver their main payloads. We will be explaining divergent TTPs related to campaigns like Qbot, Trickbot, IcedID, Bazzerloader, ZLoader, Gozi, Danabot and Agent Tesla etc., We will speak about the technical changes we have observed in the timeline. We’ll also cover the detection tactics which may help proactively respond to this type of threats, tools to identify hidden data in the XLM, and possible detection methods too.