Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary.
Just last month, Ukraine accused Russian government spies of uploading documents with malicious macros to a Ukrainian government document-sharing site. And amid the first wave of the COVID-19 pandemic, Microsoft warned of emails containing Excel files with malicious macros.
Microsoft has been using an integration between its Antimalware Scan Interface (AMSI) and Office 365 to knock out macro malware for years, but its successful efforts to take out macro scripts written in Visual Basic for Applications (VBA) ended up pushing attackers to an older macro language called XLM, which came with Excel 4.0 in 1992.
Now Microsoft is expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 XLM macros at runtime, bringing AMSI in line with VBA.
AMSI allows applications to integrate with any antivirus on a Windows machine to enable the antivirus to detect and block a range of malicious scripts in Office documents. Microsoft notes its Defender anti-malware is using this integration to detect and block XLM-based malware and is encouraging other anti-malware providers to adopt it, too.
Although XLM was superseded by VBA in 1993, XLM is still used by some customers and so it remains supported in Excel.
“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands,” explain Microsoft’s security teams.
The arrival of AMSI’s VBA runtime scan in 2018 “effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny,” says Microsoft.
“Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM,” it continues.
If the antivirus detects a malicious XLM macro, the macro won’t execute and Excel is terminated, thus blocking the attack.
Runtime inspection of XLM macros is now available in Microsoft Excel and is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.