Apparently, hackers are increasingly utilizing Excel 4.0 documents to distribute malware such as ZLoader and Quakbot. The findings come from security firm Reversing Labs.
How was the research on malicious Excel 4.0 (XML) macros carried out?
The research team collected all Excel documents that appeared for the first time in Reversing Labs TitaniumCloud since November 2020. The documents were then processed with a static analysis engine which identified that almost 160,000 of them use Excel 4.0 (XLM) macros, the analysis reveals.
Nearly all of the 160,000 Excel 4.0 documents were classified as malicious or suspicious, meaning that nearly every document that contains XML macros is infected. But why is that?
“It makes sense given that XLM macros are a legacy Office option at this point, and there is just a small chance that new documents would use them instead of more “modern” VBA macros,” the researchers explain.
The analysis also revealed that there’s a pattern of malicious samples increasing in particular times of the year. A significant increase in the number of encountered malicious samples was observed at the end of November 2020: a date that coincides with Black Friday. “This is somewhat expected, as such events are a good opportunity for malicious actors to lure their targets into opening malicious content,” the report notes.
It is curious, however, that the team observed nearly no activity around the winter holidays (Christmas and New Year). The pause in malicious activity was short, though, as malicious Excel 4.0 macros picked up in January, right before Valentine’s day. “Malware, as most human activity, appears to be seasonal,” the researchers conclude.
Banking trojans tend to use malicious macros
One of the latest large-scale campaigns delivering the ZLoader trojan was detected last summer. Infected CV files were used as carriers of the infamous banking Trojan.
It is important to note that most banking malware samples are distributed via infected documents, commonly accessed by users: text documents, presentations, spreadsheets, and databases. In that particular campaign, hackers embedded the virus in Microsoft Excel files. As soon as the documents are opened, a prompt would show up asking the user to enable the macros. In other words, as soon as the potential victim enables these scripts, the trojan is executed.
What shall you do to avoid falling victim to banking trojan campaigns?
Banking Trojans have caused great damage to unsuspecting users, generating fraudulent transactions and stealing banking credentials. Attack scenarios can go even worse, if the particular banking Trojan installs additional malware, such as ransomware. Since banking malware continues to be a huge issue for both individual and enterprise users, it’s only natural to look for protection.
Macros are usually disabled by Microsoft by default. Of course, cybercriminals are aware of that fact, and always find ways to lure potential victims into enabling macros and subsequently getting infected.
Here are some basic, easy-to-follow steps to avoid malicious macros:
- Disable macros in Microsoft Office applications.The very first thing to do is check if macros are disabled in Microsoft office. For more information, visit Microsoft Office’s official page. Keep in mind that if you are an enterprise user, the system administrator is the one who is in charge of the macro default settings.
- Don’t open suspicious emails. Simple as that. If you receive an unexpected email from an unknown sender – like an invoice – don’t open it before making sure it is legitimate. Spam is the primary way of distributing macro malware.
- Utilize anti-spam measures and anti-malware protection. Rely on anti-spam software, spam filters, aimed at examining incoming email. Such software isolates spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from reaching your inbox. Make sure to add a spam filter to your email.