Cybercriminals are using Excel Macros to spread Malware! Stay Alert!

 

Threat is increasing as the cyber criminals are using excel 4.0 documents for spreading malware called Zloader and Quakbot. According to the latest research, there was a sudden surge in this kind of cyber attack in 2021. Many individuals and companies having weak policies have suffered and have faced the consequences.

What is Excel 4.0 macros (XLM)?

XLM, for Excel Macro, is a type of Spreadsheet files that are used to store Macros. From an application point of view, a Macro is a set of instructions that are used for automating processes. Macros are programmed with Microsoft’s VBA – Visual Basic for Applications from within the Excel Workbook. Visual Basic Editor present in it can be used to run/debug directly from there.

Quakbot (aka QBOT), which was first found in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines. Few of the variants also have computer worm-like (ability to replicate itself to spread to other computers) propagation characteristics.

How are the users getting tricked?

Microsoft Office automatically disables macros but the attackers attempt to trick recipients of the email to enable them with a message appearing inside the Word document. This file is a non-malicious file which is used to trick the user to enable the macro. This initial attack is achieved by a phishing email with a Microsoft Word document as an attachment. While this document is opened, a password-protected Excel file is downloaded from a remote server.
McAfee Labs research team states that, after downloading the XLS file, the Word VBA reads the cell contents from XLS and creates a new macro for the same XLS file and writes the cell contents to XLS VBA macros as functions. Once the macros are written to the downloaded XLS file, the Word document sets the policy in the registry to Disable Excel Macro Warning and calls the malicious macro function dynamically from the Excel file. This results in the downloading of the Zloader payload. The Zloader payload is then executed by rundll32[.]exe.

Measures and Prevention techniques to be taken?

It is highly recommended to enable macros only when the document received is from a trusted source. Post working on the macro document, disabling the feature until the next usage.

Disabling Macros:
1. File tab > Options.
2. select Trust Center > Trust Center Settings button.
3. select Macro Settings > Disable all macros with/without notifications.

 

 

Authored by Prithveesh K.
PRITHVISION
Prithvi Cyber Protect | Prithvi Mosaics