Excel 4.0 macros have been around for almost three decades, but this year, attackers have found new ways to weaponize them. It’s bad news for companies that still rely heavily on this legitimate and long-standing functionality.
VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh observed thousands of samples this year and presented their findings during the VB2020 conference in October. They were able to group samples into distinct waves, noting how malware authors improved their work, making malicious spreadsheets more sophisticated and more evasive.
Excel 4.0 macros, also known as XL4 macros, became more pervasive in February. Typically, victims receive a malicious XLS file by email and are tricked into enabling macros. Once they do that, the attacker can gain access to the network, allowing them to deliver additional malware, which could potentially be more persistent.
Several commodity malware families including Trickbot, Danabot, Gozi and ZLoader have used this idea to get a foothold on a target network. In fact, the researchers said, this type of malware opens the door for a wide range of possibilities.
The researchers believe that Excel 4.0 macros are currently an “uncharted territory,” where both sides continuously learn new tricks. Malware authors keep pushing the boundaries, identifying new ways to evade detection, while security researchers try to determine how to better assess Excel documents.
The cat-and-mouse game will likely continue in the years to come. Microsoft encourages users to discard Excel 4.0 macros and migrate to the more modern Visual Basic for Applications (VBA) macros. However, many businesses still rely on this benign functionality, so it’s unlikely that it will be retired.
What are Excel 4.0 macros?
Excel 4.0 macros are "something incredibly old, but nothing incredibly fancy," said Ortolani. It takes a user about 30 seconds to create a simple macro that can display a message on the screen or run a Windows app. The idea of allowing users to create macros that would automate repetitive tasks has been around since Excel’s very beginnings, and XLM became the default macro language in 1992, when Excel 4.0 was launched.
Excel 4.0 macros are not just easy to create, they are also powerful. While some can be as simple as =EXEC(“calc.exe”), which displays the calculator, others can stack several lines of code that allow access to the file system, registry, WinAPI and more. By contrast, standard macros are limited to workbook-related computations and cannot interact with the system at a low level.
How malware authors raised their macro game
The VMware researchers have clustered thousands of samples, trying to understand how this threat has evolved over the past year. They’ve counted 15 waves of attacks in total, usually one or two weeks apart. “Each of those waves was quite unique, getting more and more sophisticated over time,” Ortolani said.
By comparing samples across different waves, the researchers were able to study how malware authors learned to use advanced evasion and obfuscation techniques. Although the authors upped their game, they kept the base functionality of the samples, which was to download and execute a payload such as an EXE or DLL file.
Researchers detected the first wave of attacks in mid-February. “This first cluster sets the stage for all clusters that follow, as most are simply just going to extend or build upon this pre-existing code,” Haughom said. The samples from this first wave featured a phishing image that included the Microsoft Office logo. Users were told to click the "Enable editing" and "Enable content" buttons.
All the samples detected during this wave had a hidden macro sheet that held the payload, Haughom said. It was pretty easy to unhide, and the code was not obfuscated in any way. “Probably the most significant feature of this cluster is all the anti-sandboxing that takes place,” he said. “We don't typically see a lot of anti-sandboxing when it comes to VBA macros, but what we see here are actually three different environment checks.”
These environment checks are written in cells A1, A2 and A3 of the macro sheet. The first one requires user interaction with a message box. It displays a pop-up window that reads: “We found a problem with some content. Do you want to try to recover as much as we can?”
This helps the malware to evade the less robust automated sandboxes, Haughom said. “If a sandbox doesn't have full user emulation to click through this pop-up, then it's not going to continue executing, and you won't see the full behavior of the sample.” The following two cells, A2 and A3, are used to check for mouse and audio capabilities.
Once these environment checks are performed, the malware moves on to download a more persistent payload via a web query. It then checks if the payload has been downloaded successfully.
The second wave of attacks followed at the end of February, and it was similar in many ways. Yet, it featured some trivial obfuscation techniques: The code was scattered around the macro sheet, and it was written using a white font on a white background. “These aren't impressive or groundbreaking yet... but it shows that malware authors are starting to explore what's possible with Excel 4.0,” Haughom said.
The next wave of attacks came with extended sandbox evasion capabilities. The samples had additional environment checks, looking at display size and dimensions of workspace. Also, the macro sheet was concealed using the VeryHidden flag instead of Hidden.
The difference between the two is that the user can't unhide a VeryHidden macro sheet from the Excel interface, Haughom said. "You actually have to use a script, or you can do it in VBA code or manually in a hex editor.”
XL4 macros are getting more complex
The waves of attacks that followed show how quickly malware authors had improved their skills. By mid-March, the macros were massively using the CHAR(integer) function that translates letters into ASCII code. Each letter of the payload was written using its corresponding CHAR function, and then the string was concatenated—a common obfuscation technique that appears in various other formats.
Then, the researchers saw more WinAPI activity, and they noticed that macros started to check for specific security settings for Excel in the registry. They also caught a few samples that needed to be executed on a specific day of the month. That day was used as a key to deobfuscate the payload. If the macro ran on an incorrect day, the results of the deobfuscation process were strings of unintelligible characters.
By the end of April, the first samples in which the payload was hidden among dozens of independent macro sheets appeared. Malware authors wanted to make it more difficult for analysts to identify the interesting code blocks.
Another improved evasion technique surfaced around mid-May when samples started to check if the Excel window is hidden or minimized, actions that might suggest that it was not viewed by a regular user. Malware authors also probed if the sample ran in single-step mode, a debugging strategy that might have helped a security researcher observe the results of each action in the macro.
Around the same time, Haughom noticed another intriguing fact. His team detected a sample that, instead of leveraging the common CHAR function, used the MID function, which extracts a substring from a string. This, he said, was an attempt to break obfuscation-related signatures that expect CHAR. He said that up until that point he only saw the MID function used in malicious VBA macros, not XL4.
By June and July, the samples featured even better techniques, Singh said. The malware authors started to rely heavily on Visual Basic Script (VBS) in their payload. They also checked to see if the machine used a 32- or 64-bit architecture, downloading the corresponding payload.
For 32-bit machines, they used techniques that were similar to those employed in previous attack waves. Yet, for 64-bit architecture, malware authors relied on two VBS scripts, one that downloaded the DLL and another that executed it, Singh said.
Over the summer, the VMware researchers saw one last interesting wave of attacks, which used powershell.exe to download and execute PowerShell scripts as a second-stage payload. Singh said that this cluster uses the VeryHidden option seen during the late spring, yet it doesn't have sophisticated evasion or obfuscation techniques.
“Maybe [malware authors] did it intentionally,” Singh said. “Sometimes if you add too much obfuscation and evasion, it becomes easier for detection engines to detect it.”
Excel 4.0 macros are here to stay
By the end of the summer, the researchers saw a drop in activity. Yet, they say that malware authors shouldn’t be disregarded nor underestimated. They’ve improved their techniques considerably this year, specifically in the area of environment checks and obfuscation, Haughom said.
When it comes to obfuscation, they’ve started with writing code using a white font on a white background, and quickly moved on to using the CHAR and DIM functions. “Now, we have nested operations that are passed as arguments, doing multiple mathematical computations in order to decode some value,” Haughom said.
His colleague Ortolani believes that Excel 4.0 macros are here to stay. “They’re easy to use but also easy to complicate,” he said. “The good news is that [detection] tools have been updated.”