Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Microsoft: We're cracking down on malware that uses Excel macros
#1
Quote:A new antivirus and Office 365 integration from Microsoft allows for scanning malicious macro scripts written in XLM at runtime.
 
Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. 
 
Just last month, Ukraine accused Russian [color=var(--theme-link_a)]government spies of uploading documents with malicious macros to a Ukrainian government document-sharing site. And amid the first wave of the COVID-19 pandemic, Microsoft [color=var(--theme-link_a)]warned of emails containing Excel files with malicious macros[/color][/color]
 
Microsoft has been using an integration between its Antimalware Scan Interface ([color=var(--theme-link_a)]AMSI) and Office 365 to knock out macro malware for years, but its successful efforts to take out macro scripts written in Visual Basic for Applications (VBA) ended up pushing attackers to an older macro language called XLM, which came with Excel 4.0 in 1992.  [/color]
 
Now Microsoft is [color=var(--theme-link_a)]expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 [color=var(--theme-link_a)]XLM[/color] macros at runtime, bringing AMSI in line with VBA.[/color]
 
AMSI allows applications to integrate with any antivirus on a Windows machine to enable the antivirus to detect and block a range of malicious scripts in Office documents. Microsoft notes its Defender anti-malware is using this integration to detect and block XLM-based malware and is encouraging other anti-malware providers to adopt it, too. 
 
Although XLM was superseded by VBA in 1993, XLM is still used by some customers and so it remains supported in Excel.  
"While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands," explain Microsoft's security teams. 
 
The arrival of AMSI's VBA runtime scan in 2018 "effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny," says Microsoft. 
"Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM," it continues. 
 
If the antivirus detects a malicious XLM macro, the macro won't execute and Excel is terminated, thus blocking the attack. 
 
Runtime inspection of XLM macros is now available in Microsoft Excel and is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.


Source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Hackers now use Microsoft OneNote attachments to spread malware tarekma7 0 615 01-24-2023 , 10:21 AM
Last Post: tarekma7
  Emotet malware now wants you to upgrade Microsoft Word dhruv2193 0 1,040 10-25-2020 , 05:40 AM
Last Post: dhruv2193
  Microsoft Defender can ironically be used to download malware mrtrout 0 923 09-04-2020 , 02:05 AM
Last Post: mrtrout
  Microsoft and Intel Will Soon Be Able To Convert Malware Into Images dhruv2193 0 1,314 05-13-2020 , 03:03 PM
Last Post: dhruv2193
  Microsoft's Windows 10 warning: Astaroth malware is back. This time it's even stealth dhruv2193 0 1,429 03-25-2020 , 01:58 PM
Last Post: dhruv2193

Forum Jump:


Users browsing this thread: 1 Guest(s)