Macro malware is one of the oldest cybercrime methods, at least amongst those still in use today. Threat actors have been turning to macros since the 90s, and still getting some success. That’s because this is a simple technique for pushing malware onto a system. Just last year, during the early months of the COVID-19 pandemic, Microsoft said customers were getting macro emails. Specifically, emails with Microsoft Excel attachments loaded with malicious macros. Microsoft has long been protecting its services against macro threats. This involves an integration between Office 365 and the company’s Antimalware Scan Interface (AMSI). However, most those efforts were focused on taking out more modern macros in Visual Basic for Applications (VBA).
Updating AMSI
Ever the resourceful bunch, hackers simply reverted back older macro languages… XLM. This was a language that shipped with Excel 4.0 way back in 1992. VBA arrived in 1993, but XLM remains a recognized language. Microsoft is now allowing ASMI to also tackle XLM content. “While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands,” says Microsoft’s security team. “Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM,” it continues. Tip of the day: Did you know that Windows 10´s Task Manager lets you set CPU affinity to claw back some resources from running apps and give selected apps higher priority. Our tutorial shows how you can use this helpful feature.