Hackers distribute malware by abusing the Excel 4.0 macro

May 6, 2021

According to new research, hackers are embracing Excel 4.0 documents as a gateway for the distribution of malware such as Zloader and Quakbot.

This comes from the result of an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021:

In its support document, Microsoft warns that enabling all macros can cause potentially dangerous code to run.

Quakbot (QBOT) and its variants can spread via Office documents and can deliver other malware payloads, record keystrokes by users, and create back doors for compromised machines.

The malware not only got users to enable decoy macros but also included files embedded with XLM macros whose functions are to download and run second-stage payloads retrieved from a remote server.

Another sample included a Base64-encoded payload on one of the sheets, which was then used to download additional malware from an incomplete URL.

Some researcher comments point out that it is better to disapprove of some things for compatibility with older versions of macros.

Still not aware that you have fallen into the clutches of malware through fake macros? Ask for a consultation with our specialists in THETA432. The computer security of users is our goal!

Authored by

Jorge Daniel Tejeda