Excel 4.0 macros have been around for almost three decades, but this year, attackers have found new ways to weaponize them. It’s bad news for companies that still rely heavily on this legitimate and long-standing functionality.
VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh observed thousands of samples this year and presented their findings during the VB2020 conference in October. They were able to group samples into distinct waves, noting how malware authors improved their work, making malicious spreadsheets more sophisticated and more evasive.
Excel 4.0 macros, also known as XL4 macros, became more pervasive in February. Typically, victims receive a malicious XLS file by email and are tricked into enabling macros. Once they do that, the attacker can gain access to the network, allowing them to deliver additional malware, which could potentially be more persistent.
Several commodity malware families including Trickbot, Danabot, Gozi and ZLoader have used this idea to get a foothold on a target network. In fact, the researchers said, this type of malware opens the door for a wide range of possibilities.
The researchers believe that Excel 4.0 macros are currently an “uncharted territory,” where both sides continuously learn new tricks. Malware authors keep pushing the boundaries, identifying new ways to evade detection, while security researchers try to determine how to better assess Excel documents.