Alert: Excel4Macro attacks bypass Office ATP
An old threat has resurfaced, and in its latest guise, it has been able to consistently bypass Office ATP security measures.
For over six months now we’ve seen this method of attack actively using Excel4Macro to deliver dangerous malware – including hundreds of such attacks in the U.S in the past few weeks. These attacks keep coming, and at BitDam we’ve noted more than 500 unique incidents within the past two weeks of October.
It’s not just Microsoft Office ATP that’s missing this threat – other advanced email solutions are being bypassed over and over again.
The malware in question is called zLoader. In this piece, we’ll look at it in more detail, including the steps you can take to ensure you’re safe from this type of attack.
zLoader is back
zLoader is a variant of the Zeus banking malware, which was first spotted in the wild in 2006. It is deployed onto a victim’s infrastructure through Office macros, and is then able to steal passwords, make financial transactions and exfiltrate sensitive data.
This latest version of zLoader includes numerous evasion and obfuscation techniques. For example, it does not fetch the payload unless certain criteria are met, like a sound card being present. This, along with other techniques such as junk code and encrypted strings, have helped this campaign to be so successful.
What does it actually look like?
This Excel4Macro attack, as the name suggests, takes advantage of Excel macros – essentially an automated set of actions.
Initially the user is presented with an Excel spreadsheet that attempts to convince them to “enable editing” and “enable content” and thus circumvent default Microsoft security features. To do this, various ploys are used: from “download this invoice” to “a family member has been exposed to COVID-19”.
Varying degrees of sophistication are employed. What follows is a relatively simple example. Note the ruse and the calls to action.
As you can see, there is another sheet or tab present. If one were to open it up and search for non-empty cells, the Excel4Macro attack would be immediately visible. Here’s a sample of it:
We’ve seen this before
The Excel4macro attack method is not new. In fact, we wrote about it earlier this year, mentioning that these attacks typically bypass Office ATP; and much has been written about attacks using malicious Excel macros.
This threat however, is constantly evolving. The way it is being used now is more complex and sophisticated than ever before, with the threat actors finding increasingly devious ways to obfuscate the Excel4Macro element of the attack.
Not content with stopping there, they are now even using new functions of Excel4Macro to evade current Office ATP detection techniques, fetch the zLoader malware from a remote server, and run it on the victim’s machine.
Analysis and protective measures
Based on testing using BitDam’s BAS2.0, these attacks are not being detected by Office ATP, even a full 48 hours after the first time that Office ATP has encountered them.
To assess your organization’s current vulnerability to zLoader and other real-world, real-time malware and phishing attacks, BitDam provides a range of tools to gauge your current risk profile and protect against the latest threats.