Guide to Prevent Execution of Excel 4.0 Macro Malware – Microsoft Office 365 Product

Excel 4.0 macro (XLM) malware is an attack method that uses Microsoft Office Excel files, and it has been established as the new document malware flow following VBA (Visual Basic Application). Excel 4.0 macro malware uses the ‘macro sheet’ feature in Excel. Each cell in the Excel sheet is composed of a function flow that can be run.

Excel 4.0 macro malware has been most actively used in the recent methods of malware distribution using MS Office files. The developer of the malware is taking advantage of the fact that the detection of malware is very difficult with anti-malware programs compared to the VBA method due to the characteristic of binary files where macro codes are saved and other reasons such as code obfuscation. Due to such reasons, Microsoft announced the following measures to improve security. This is notable because this could become a fundamental prevention measure for running malware provided by Microsoft, rather than detecting the malware and blocking it at the execution phase.

XLM + AMSI: New runtime defense against Excel 4.0 macro malware
Microsoft Security Official Blog, March 3, 2021[1]

“We have recently expanded the integration of Antimalware Scan Interface (AMSI) with Office 365 to include the runtime scanning of Excel 4.0 (XLM) macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros.”

“Runtime inspection of XLM macros is now available in Microsoft Excel and can be used by antivirus solutions like Microsoft Defender Antivirus that are registered as an AMSI provider on the device.”

Microsoft announced that they have expanded the Antimalware Scan Interface (AMSI) feature to enable the scanning of Excel 4.0 macro execution in Office 365 products. This allows the detection of Excel 4.0 macro malware using anti-malware programs that utilize AMSI, including V3 by AhnLab. The following is a result of a scan run by a V3 software on execution of actual Excel 4.0 macro malware. When obfuscated macro codes are run (see figure below), the behavior of downloading files using Windows API is recorded.

Restrict usage of Excel 4.0 (XLM) macros with new macro settings control
Microsoft Excel Official Blog, July 22, 2021[2]

“A new Excel Trust Center settings option to further restrict the usage of Excel 4.0 (XLM) macros is now generally available.”

“Found in the Trust Center Macro Settings, this new checkbox setting, “Enable Excel 4.0 macros when VBA macros are enabled”, allows users to individually configure the behavior of XLM macros without impacting VBA macros.”

This is a newly added feature in Microsoft Office 365 Excel (Version 2104 or higher). New User Selection Option was added to the settings location, and unchecking the box will only run VBA macros without running Excel 4.0 macros even if macro settings are enabled. It is advised that users ‘uncheck’ the box considering the fact that most users are currently using VBA when writing and running macros and that Excel 4.0 macro is mainly used in malware. Users who use Office 365 products in a company or in a medium-sized group can customize these settings collectively depending on the admin policy.

  • File > Option > Trust Center > Trust Center Settings > Macro Settings > Enable Excel 4.0 macros when VBA macros are enabled

This option is disabled by default in Office 365 Excel until the end of 2021.[3] Users should check their system environment and see if the ‘Enable Excel 4.0 macros when VBA macros are enabled’ option is disabled.

[1] https://www.microsoft.com/security/blog/2021/03/03/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware
[2] https://techcommunity.microsoft.com/t5/excel-blog/restrict-usage-of-excel-4-0-xlm-macros-with-new-macro-settings/ba-p/2528450
[3] https://twitter.com/GelosSnake/status/1446192775087722497/photo/1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Response Guide

Tagged as:, , ,

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments