December 3, 2018

With IT developing at such a breakneck pace, it almost seems unbelievable that a technology from 26 years ago could be posing a cybersecurity threat. But CISOs and other security professionals know it’s all too believable, with yet another unpatched vulnerability, unnecessary protocol or outdated technology from decades ago causing major problems.

This is precisely what’s happening with Excel 4.0 macros. While VBA is a well-known vehicle for malicious macros, one that’s protected against by even traditional security solutions like antivirus programs, Excel 4.0 macros – otherwise known as XLM macros – are capable of doing many of the malicious acts VBA maldocs are. However, this old and dangerous technology barely registers a blip on the threat radar.

Macros are an old foe

Macro-based threats – even the ones not using technology from 26 years ago – are a relatively ancient attack method. They were a common means of delivering malware in the late 1990s and early 2000s, especially effective because macros were originally designed for automatic execution. As Microsoft and other major IT players figured out how to lock them down, security threats moved on from macros to take aim at platforms and applications. However, as platform and application security has improved, threats have moved back to macros, and zero-day viruses have been abounding in them for the last few years.

When IT professionals talk about macro-based threats, they tend to mean those using VBA. This is understandable since VBA maldocs can be involved in both targeted attacks leading to data theft, account takeover and network compromise, and commodity malware like ransomware (including Locky) and banking trojans (including Dridex).

This focus on VBA maldocs has led to antivirus programs and other traditional protection solutions being better able to analyze and protect against them, in no small part thanks to the Antimalware Scanning Interface (AMSI) now being integrated with Microsoft Office 365. Overall, of course, this is a good thing. However, XLM macros have largely been neglected in this rush to protect against malicious macros, and maldocs relying on this technology that many IT and security professionals have never even used is capable of almost every devious and criminal thing VBA maldocs are.

The various issues with Excel 4.0 macros

Even though they’re 26 years old and limited to Microsoft Excel, XLM macros are a rich language, one that makes plenty of offensive opportunities possible. The EXEC function can be used to create processes, and using the REGISTER and CALL functions, attackers can use XLM macros to access the Win32 API. Shellcode injection is a major risk associated with XLM macros, leading to hard to detect in-memory attacks and various types of exploits and zero-day viruses being launched on the target system.Simple XLM Macro

Figure 1. Simple XLM Macro

One of the main areas where XLM and VBA macros differ is when it comes to Component Object Model (COM). Because COM was first developed in 1993, XLM macros can’t interact with it whereas VBA macros can. The other main difference between XLM and VBA, as mentioned above, is that VBA maldocs are routinely detected by antivirus solutions and XLM maldocs are not.

This is partially because XLM macros simply aren’t pinging the cybersecurity threat radar the way VBA macros are. However, it’s also because XLM macros are stored completely differently than VBA macros in Excel files. In newer versions of Excel, XLM macros are tucked away in an XML file in the subdirectory macrosheets. In older versions of Excel, Excel 4.0 macros are embedded in the Workbook OLE stream, while VBA macros are stored in a separate container. This has created a situation in which XLM macros end up in a blindspot for antivirus solutions and can circumvent AMSI, and as a result, XLM maldocs aren’t being detected, analyzed or stopped.Figure 2. Specially crafted XLM Macro interacting with WinAPI

Figure 2. Specially crafted XLM Macro interacting with WinAPI

X-ing out XLM

XLM macros are supported in Office versions as recent as 2016. While files ending in .xlm are by default blocked from opening by recent Office versions, XLM macrosheets can be used in .xlsm and .xls  and other acceptable file types. Beyond the default blocking of .xlm files, if you’re waiting for antivirus solutions to catch up to the threat of XLM macros, well, you’ve been waiting 26 years.

The only way to stop macro-based threats including zero-day viruses that can’t be detected by traditional protection solutions is to invest in a solution that blocks all malicious elements in any and all incoming files. Without a modern and proactive prevention solution, maldocs using decades-old technology are free to run amok.

Image credits: https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/