Since 1992 Macros have been a part of Excel. Excel 4.0 macro or XLM 4.0 macro as it is otherwise known is a piece of its program that helps automates repetitive tasks in your spreadsheets. But, it is unfortunately a covert backdoor which has been often used for malware delivery. It has been increasingly used by hackers to store hidden excel malware as perpetual techniques of attack.
What adds to the vulnerability of Excel 4.0 macros is it being an essential component of Excel’s core capability. Macros are so much embedded into regular business applications that they are very less likely to be disabled. Malware authors often exploit this fact and attempt sneaking malicious payload via macro codes into Excel sheets and deliver it mostly as email attachments.
The threats around .IQY files
.IQY files are not Excel spreadsheets, but rather text files associated with Excel. These text files store web query instructions for retrieving data from Microsoft Excel. Thus, Excel will launch if you open a .IQY file from an email attachment. These files are configured to download a PowerShell script that can in turn discreetly download malware.
Start of the trend of Macro Attacks
It was discovered by a number of cyber criminals towards the end of January 2020, and they launched a barrage of attacks (beside other techniques) during Mid-February targeting accountants. An infected sheet would land in your inbox, which contained malicious commands hidden in a formula. Upon downloading, the victim would be asked to click the ‘Enable Editing’ button. That triggered the malicious macro.
Following the first attack, the threat actors continued to leverage this evasion technique to create more attacks that peaked between May to July 2020.
The Stealth Technique
There is a loophole in the form of Macros hidden in Excel Sheets. That is, the sheet is not readily accessible via the Excel UI and cannot be revealed without the help of an external tool. The hidden macros can be triggered through web queries or can be downloaded when a specific formula is executed. This loophole has been leveraged repeatedly to deliver malicious payloads via file uploads or email attachments and exploit system vulnerabilities to create new attack vectors.
The cyber criminals leveraged the fear-based social engineering ploys, most commonly impersonating John Hopkins Center, sending emails with a subject “WHO COVID-19 SITUATION REPORT”. The attached Excel files contained a hidden malicious macro that downloaded and ran NetSupport Manager RAT — an administration tool that allowed remote access.
The victim was compelled to open and facilitated the attackers to gain remote access and run commands on compromised devices. In effect, the virus would even email itself to everyone within an affected user's Outlook contact list in some cases. This technique was so abused that Microsoft had to issue a public warning against it.
How to protect against Malicious Macro Files
With the rise of the Internet malware creators moving on from pedestrian Office documents to other methods for distributing viruses and malware, Microsoft has added security precautions to Excel.
Using Protected View in Excel to safely open documents of uncertain provenance is the best way to protect yourself from such malware. Depending upon your settings, files you open from the Internet or email attachment may automatically launch into Protected View.
When this mode is enabled you can safely view the spreadsheet, but you won’t be able to edit it until you click Enable Content. Similarly, any sort of external data connections are also disabled while the workbook is displayed in Protected View.
Migrating to VBA
Being aware of these exploits, Microsoft has been encouraging users to shift to Visual Basic for Applications (VBA). The Antimalware Scan Interface (AMSI) paired with VBA can provide deep scrutinization of the macros’ behaviors in VBA, enabling the system to scan for suspicious macros and other malicious activities at runtime.
Integrate AMSI with MS Office
Antimalware Scan Interface (AMSI)'s integration with Office 365 applications enables runtime scanning of macros, exposing malicious intent even with heavy obfuscation. This latest improvement to Office 365 allows modern endpoint security platforms like Windows Defender ATP to defeat macro-based threats.
The best possible way to keep yourself protected is to avoid downloading anything that comes from an untrusted source. In addition to that, consult a Cyber security or an Excel Expert from time to time to keep yourself updated with the latest trending security updates in the business world.