This type of macro code is actively being abused and weaponized by attackers to deliver additional, more persistent malware. IntroductionĮxcel 4.0, or XLM macros, is a 30-year-old feature of Microsoft Excel that has been gaining popularity among malware authors and attackers, especially over the last year (see Chart 1).
#Super dragon ball heroes: world mission download
Evasion routines and obfuscation were the primary areas of evolution, as the base functionality of these samples remained the same – download and invoke a more persistent payload, such as an EXE or DLL file. The size of these clusters suggest that these samples are being generated with some sort of toolkit or document generator, as these samples resemble one another too closely to not be related. Each of these waves appeared to build on its predecessor, extending its functionality by introducing new techniques on top of what already was being used. We found that roughly every 1-2 weeks, a new wave of samples emerged, each more evasive and sophisticated than the last. Through clustering thousands of samples and performing in-depth code-level analysis of each cluster, we were able to visualize and witness the evolution of this threat. In this blog post, we describe each wave and cluster in detail, by breaking down every new technique discovered, and explaining why each is significant, effective, or ineffective.
Techniques used in the first wave of samples we observed in February are still being leveraged in samples being discovered today. As previously mentioned, these techniques appear to surface in waves, with each new wave introducing new techniques, building on the previous wave or cluster. The techniques employed by these attackers include ways to evade automated sandbox analysis and signature-based detection, as well as hands-on analysis performed by malware analysts and reverse engineers. As XL4 macros represent somewhat “uncharted territory,” malware authors and security researchers are making new discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. We were able to cluster samples into distinct waves, which clearly display how this technique has evolved through time to become more sophisticated and more evasive. Intercepting these samples has provided valuable data to build statistics, identify trends, find outliers, and track campaigns. The Lastline Threat Research Group has observed thousands of samples leveraging this technique, and has been monitoring and tracking trends for the last 5+ months. As this is a 30-year-old feature that has only been discovered and exploited en mass by attackers in the last year, many security vendors do not currently have detection mechanisms in place to trigger on these samples, and building reliable signatures for this type of attack is not a small task. For many organizations, blacklisting isn’t a viable solution, and any signatures to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.
This technique provides attackers a simple and reliable method to get a foothold on a target network, as it simply represents an abuse of a legitimate feature of Excel, and does not rely on any vulnerability or exploit. Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catchup and detect them properly.