The findings come from an evaluation of 160,000 Excel 4.0 paperwork between November 2020 and March 2021, out of which greater than 90% had been categorized as malicious or suspicious.
“The most important threat for the focused corporations and people is the truth that safety options nonetheless have numerous issues with detecting malicious Excel 4.0 paperwork, making most of those slip by standard signature based mostly detections and analyst written YARA guidelines,” researchers from ReversingLabs mentioned in a report published today.
Excel 4.0 macros (XLM), the precursor to Visible Primary for Purposes (VBA), is a legacy function included in Microsoft Excel for backward compatibility causes. Microsoft warns in its support document that enabling all macros could cause “probably harmful code” to run.
The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a infamous banking trojan able to stealing banking credentials and different monetary info, whereas additionally gaining worm-like propagation options. Sometimes unfold by way of weaponized Workplace paperwork, variants of QakBot have been capable of ship different malware payloads, log person keystrokes, and even create a backdoor to compromised machines.
In a doc analyzed by ReversingLabs, the malware not solely tricked customers into enabling macros with convincing lures, but in addition got here with embedded recordsdata containing XLM macros that obtain and execute a malicious second-stage payload retrieved from a distant server. One other pattern included a Base64-encoded payload in one of many sheets, which then tried to obtain extra malware from a sketchy URL.
“Regardless that backward compatibility is essential, some issues ought to have a life expectancy and, from a safety perspective, it might most likely be greatest in the event that they had been deprecated sooner or later in time,” the researchers famous. “Value of sustaining 30 12 months outdated macros must be weighed in opposition to the safety dangers utilizing such outdated expertise brings.”