Attackers are now using Microsoft Excel 4.0 documents to distribute malware such as ZLoader and Quakbot
Security researchers from ReversingLabs conducted an analysis of 160 thousand Excel documents (4.0) during the period from November 2020 and found by March 2021, more than 90% of them turned out to be malicious or potentially dangerous.
“The biggest risk is that security solutions still have many problems detecting malicious Excel 4.0 documents based on YARA signatures and rules,” the experts explained.
Excel 4.0 macros (XLM) are a deprecated feature included in Microsoft Excel for backward compatibility reasons. As Microsoft warns, enabling all macros can cause “potentially dangerous code” to run.
For example, Quakbot malware (also known as QBOT) is capable of downloading other malware, logging user keystrokes, and injecting a backdoor.
According to experts, the malware not only tricked users into enabling macros but also spread with built-in XLM macros that downloaded and executed malicious payload of the second level from a remote server.
“While backward compatibility is very important, some things have to have an expected lifespan, and from a safety point of view, it would be better to leave them out. The cost of supporting 30-year-old macros must be weighed against the security risks associated with using such outdated technologies, ” the experts noted.