Threat researcher explains why it’s tricky to tell the difference between legitimate Excel Macros and ones that deliver malware.
Released Excel 4.0 for Windows 3.0 and 3.1 in 1992 and many companies still use this functionality in legacy operations. The problem is that bad actors have started using Excel sheets and macros as a new way to deliver malware.
Tal Leibovich, head of threat research at Deep Instinct, explained at a presentation during DEFCON 29 why this legacy scripting language has been the vehicle for a recent rise in malware delivery. Leibovich presented “Identifying Excel 4.0 Macro strains using Anomaly Detection” with Elad Ciuraru last week. Deep Instinct is a company specializing in endpoint protection and using deep learning to stop cyberattacks.
organizations first noticed a spike in March 2020 of this kind of attack. Microsoft released a new runtime defense against Excel 4.0 macro malware in March. Leibovich said that he has seen a substantial increase over the last two years of hackers using Excel 4.0 Macros in attacks.
“You’d expect attacks using this old script language to be very limited but we are seeing new obfuscation techniques,” he said.
Hackers are using creative tactics to build new attack vectors. Leibovich said that hackers also are using other Excel commands and API calls to Windows in the attacks.
“You can use a short command in one place and another here in the Excel sheet and by jumping between different cells you can create an attack,” he said. “That’s the way a lot of attackers create malware that is undetected.”
The problem is that this legitimate capability in Excel is not always malicious.
“Many organizations have legacy files that use macros,” he said.
He said that the challenge is creating a good detection engine that can spot actual threats without generating false positives and noise.
“Excel’s auto-open capability is fundamental and everybody uses it, so you have to detect the specific functionality of the macro to avoid creating false alarms,” he said. “The main tool we use to do that is deep learning.”
How to protect against macro-based malware
It’s easy to understand why this threat has been so persistent over the years. Macro worms and viruses primarily use Visual Basic for Applications programming in Microsoft Macros and is the prevalent productivity suite. The basic math is that Microsoft is dominant in this space, and uses Visual Basic for Applications is highly and easily targeted and many organizations still do not always properly address the macro issue, according to Aaron , director of digital forensics and incident response at NTT Ltd.
The nuclear option for protecting against this kind of malware is to block any and all inbound macro-enabled and macro-embedded files from email or file transfer pathways, Card said.
“Any O365 organization can also set a group policy to ‘disable all macros,’ with or without notification to the user in case a file somehow slipped through the defenses, or someone was allowed to run a file from an external drive or media,” he said.
Also, most endpoint can be configured to block Macros.
“If you are an organization that absolutely must use macro functionality to function, then I suggest running all functionality and users in virtual desktop environments to greatly limit any spread or damage from macro malware that persists,” he said.
User education about cybersecurity is more about optics than impact, according to Card. In his experience, user education only works when it is practiced and measured over and over again. The other key is establishing real consequences when people break the rules.
Card said that there are two specific tactics that are effective in influencing user behavior. The first involves adding specific language around responsible cybersecurity behavior into performance reviews.
“For example, does a team member have low or no instances of clicking on phishing emails or using an insecure device for work,” he said. “Adding an incentive, such as a bonus when possible, can also help sharpen a company’s security posture.”
The other tactic is giving each leader a score on a monthly or quarterly basis based on the number of user-related security errors that have or have not occurred on their watch.
“Those scores are shared internally in a kind of leaderboard or scorecard, and this kind of accountability drives people to do better,” he said.