Exploits Leveraging Excel 4.0 Macros Increase as Organizations Continue to Rely on this Legacy Technology



Excel Exploits Increase Despite being nearly 30 years old, Excel’s very functional macro technology appears to be a little too functional, as attackers have stepped up its use to advance cyberattacks.

We tend to think that when we talk about cyber attacks evolving, it’s all about using new techniques and vulnerabilities. But in the case of phishing attacks that need to launch code locally on a soon-to-be-compromised endpoint, it appears that attackers are turning to decades-old Excel 4.0 macro functionality (also known as XL4 macros) that apparently hasn’t found its limit.

Malware families such as Trickbot, Danabot, Gozi and ZLoader have been known to use XL4 macros. We’ve also seen examples in the wild ourselves of the use of XL4 macros recently in COVID-themed scams.

VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh recently spoke at the recent VM2020 conference presenting their findings around thousands of observed samples of Excel 4.0 macro weaponization.

According to the researchers, “the techniques employed by these attackers include ways to evade automated sandbox analysis and signature-based detection, as well as hands-on analysis performed by malware analysts and reverse engineers.” The fact that 30-year old macro functionality can do all this says a lot about the elasticity of its capabilities and that it’s likely a danger for some time to come.

If your organization relies on macro technology, you’re leaving your environment wide open for attacks. At a minimum, configure Excel to have macros disabled, asking users to only enable content when it’s a document they are personally familiar with.And in general, users should be educated via new school Security Awareness Training that if they receive any kind of unsolicited document – even when it appears to be from a known entity – that requires macros to be enabled, they need to proceed with caution and suspicion.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Request a Demo!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://www.knowbe4.com/kmsat-security-awareness-training-demo



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews