Attackers using Excel documents to distribute various malware — placing backdoor to compromise machines.

Macros Malware

Recent days attackers use Macro malware — hides in Microsoft Office files and is delivered as email attachments or inside ZIP files.

In addition, These macros have the potential to inflict damage to the document or to other computer software.

Recently, Microsoft has added XLM macro protection for Microsoft 365 customers.

By expanding the runtime defence provided by Office 365’s integration with Antimalware Scan Interface (AMSI) to include Excel 4.0 (XLM) macro scanning.

Where AMSI introduced in 2015, and all major antivirus products available for the Windows 10 platform since then.

This helps expose malicious intent even when hidden using heavy obfuscation and to detect and block malware abusing:

• Office VBA macros and PowerShell
• JScript
• VBScript
• MSHTA/Jscript9
• WMI, or .NET code,

regularly used to deploy malware payloads via Office document macros.

According to analysis between November 2020 and March 2021 with over 160K Excel 4.0 documents — 90% were classified as suspicious.

Malware Target

Microsoft warns in its support document that enabling all macros can cause “potentially dangerous code” to run.

In addition, this is a precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons.

On the other hand, the excel documents are used as an initial stage vector to distribute malware such as ZLoader and Quakbot.

 Also, variants of malware have been able to:

• deliver other malware payloads
• log user keystrokes
• and, even create a backdoor to compromised machines.

According to ReversingLabs, on analysing documents: not only trick users into enabling macros but also  came with embedded files containing XLM macros.

In addition, that download and execute a malicious second-stage payload retrieved from a remote server.

However according to Microsoft, Administrators can now use the existing Microsoft 365 applications policy control.

Which to configure when both XLM and VBA macros scanned at runtime via AMSI.

Also, Admins can download the latest group policy template files for Microsoft 365 Apps from the Microsoft 365 download center.