Despite being nearly 30 years old, Excel’s very functional macro technology appears to be a little too functional, as attackers have stepped up its use to advance cyberattacks.
We tend to think that when we talk about cyber attacks evolving, it’s all about using new techniques and vulnerabilities. But in the case of phishing attacks that need to launch code locally on a soon-to-be-compromised endpoint, it appears that attackers are turning to decades-old Excel 4.0 macro functionality (also known as XL4 macros) that apparently hasn’t found its limit.
Malware families such as Trickbot, Danabot, Gozi and ZLoader have been known to use XL4 macros. We’ve also seen examples in the wild ourselves of the use of XL4 macros recently in COVID-themed scams .
VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh recently spoke at the recent VM2020 conference presenting their findings around thousands of observed samples of Excel 4.0 macro weaponization.
According to the researchers, “the techniques employed by these attackers include ways to evade automated sandbox analysis and signature-based detection, as well as hands-on analysis performed by malware analysts and reverse engineers.” The fact that 30-year old macro functionality can do all this says a lot about the elasticity of its capabilities and that it’s likely a danger for some time to come.
If your organization relies on macro technology, you’re leaving your environment wide open for attacks. At a minimum, configure Excel to have macros disabled, asking users to only enable content when it’s a document they are personally familiar with.And in general, users should be educated via new school Security Awareness Training that if they receive any kind of unsolicited document – even when it appears to be from a known entity – that requires macros to be enabled, they need to proceed with caution and suspicion.
master cvv shop cheap cc dumps