What are Excel 4.0 XLM macros?

When Microsoft programmers released Excel 4.0 for Windows 3.0 and 3.1 in 1992, they seeded XLM macros in this Excel version. Through macro worksheets, XML macros allow users to automate functions in Excel 4.0. They are also easy to create: you just need to click “Sheet1” at the bottom of your Excel screen, select “Insert,” choose “MS Excel 4.0 Macro” from the objects list and click “OK.” Taking these steps opens up a special worksheet where you can write your XLM macros.  XLM macros are quite powerful. Although some are as simple as =ALERT(“Hello World”), which displays a dialog box with the Hello World message, others can be configured to allow access to WinAPI, file system and more. Variables in Excel 4.0 macros live through the concept of values in cells.  

Old macros, new techniques

At the VB2020 Conference, VMware security researchers James Haughom, Stefano Ortolani and Baibhav Singh gave a presentation on how adversaries are leveraging Excel 4.0 macros (also known as XL4 macros) to make malicious spreadsheets more evasive. They also discussed an attack technique where the author sends a malicious XLS file by email that tricks the victim into enabling macros. Once enabled, the attacker can gain access to the network, a perfect opportunity to inject additional malware.  Various commodity malware families, including Databot, Gozi and Trickbot, have used this technique to gain a strong position in a target network. As such, this form of malware leaves the door open for other possibilities. VMware researchers clustered a plethora of malware samples, analyzing how the technique has evolved over the past years. A total of 15 attack waves were discovered, and researchers compared samples across different waves to learn how threat actors had used advanced obfuscation and evasion techniques. What’s fascinating is that the samples’ core functionality remained the same; attackers primarily used them to execute a DLL or EXE file.

Timeline of XL4 macro attacks

Here’s a timeline of how the Excel 4.0 macro attacks evolved over the past year.

Mid-February 2020

The first wave of the macro attacks included a malicious Excel 4.0 macro sheet with a suspicious formula sent as an attachment. Upon opening them, users were asked to click the enable editing button, followed by the enable content button, which enabled the macro. The files were usually distributed through spam leveraging social engineering techniques that revolve around current themes like the COVID-19 outbreak to grab people’s attention. One of the researchers said this attack cluster’s most significant feature was all the environment checks that took place. Written in the first three cells of the sheet (cell A1, cell A2 and cell A3), the checks help the malware evade the less advanced automated sandboxes. For instance, the first check requires a user to interact with a message box saying there’s a problem with some content and asking whether they want to try and recover as much as possible. After the environment checks, the malware advances to download a more persistent payload through a web query. Lastly, it checks if the payload download was successful.

End of February 2020

The second attack wave featured some trivial obfuscation strategies that stretched the macro’s sandbox evasion capabilities. The samples triggered more environment checks, evaluating dimensions of workspace along with display size. Plus, the macro sheet was set to “very hidden,” so it wasn’t readily accessible through the Excel UI (as it wasn’t visible in the user’s list of sheets). The user can’t unhide it unless they use a script or intervene manually in a hex editor.

Mid-March 2020

Mid-March saw attackers obfuscating macros with a series of cells that initiate each command from the CHAR (integer) function. The technique allows them to specify strings using the ASCII code. All letters of the payload were written utilizing their corresponding CHAR function, after which the string was concatenated. The resulting macros could access win32 APIs, execute shell commands and perform various other actions desired by threat actors. Researchers also detected more WinAPI activity, revealing macros began to check certain security settings in the Excel registry. They also discovered a few samples scheduled to be executed on a specific day in a month. “A specific day” being the keyword. Macros that ran on an incorrect day would lead to strings of unintelligible characters.

Mid-May 2020

An improved evasion technique was introduced in mid-May that involved identifying if the malware is being analyzed or debugged. Malware authors achieved this by checking whether the macro is being run in single-step mode, a technique used to debug and step through XL4 macro code. Successful detection of the single-step mode prompted the malware to exit, not giving a potential security researcher any time to observe the results of actions taking place in the macro.  Another interesting thing about this sample was it leveraged the MID function instead of the common CHAR function. The MID function helps extract a substring from a string by delivering an index number for a starting point (along with the length of the text to extract). The aim, according to one of the researchers, was to break obfuscation-related signatures that anticipate CHAR. However, the MID function was detected in malicious VBA macros until that point, not in XLM macros.

June, July 2020

During the summer, malware authors started using even better methods. For instance, they started relying on visual basic script (VBS) for the payload. Further, they checked whether a system was using a 64-bit or 32-bit architecture when downloading the payload. For 64-bit systems, they leveraged two VBS scripts, one of which downloaded the DLL, while the other executed it.  Researchers also spotted another interesting sample that leveraged “powershell.exe” to download and run PowerShell scripts, but as a second-stage payload. It used the same “very hidden” macro sheet but didn’t have any obfuscation or evasion capabilities. The adversaries did this deliberately, knowing that adding too much evasion or obfuscation sometimes makes it easier for detection technologies to detect the malware.

Excel 4.0 macros likely to stick around

Although there was a decline in malware activity by the end of the summer, researchers suggest caution should be taken when using XL4 macros in the enterprise. This comes from the improved obfuscation techniques malware authors have been using to compromise a network. What started as writing code in white font on a white background quickly evolved to leveraging the DIM and CHAR functions for Excel 4.0 attacks. Fortunately, Microsoft has added new tools to anti-malware solutions like Microsoft Defender Antivirus to check what a macro does. Plus, detection tools like Perception Point End to End detection have been updated to identify the new threats.  

Sources

VB2020 presentation: Evolution of Excel 4.0 macro weaponization, Palada Attacker uses tricky technique of Excel 4.0 in Malspam campaign, Quick Heal blog  Excel 4.0 macros — now with twice the bits!, Cybereason  Microsoft: We’re cracking down on Excel macro malware, ZDNet