Attackers are increasingly using Microsoft Excel (version 4.0) documents to spread malware such as ZLoader and Quakbot. Security researchers from ReversingLabs analyzed 160,000 Excel (version 4.0) documents between November 2020 and March 2021 and found that more than 90% of them were malicious or potentially dangerous.

«The biggest risk is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents based on signatures and YARA rules», - the experts explained.

Excel 4.0 (XLM) macros are a legacy feature included in Microsoft Excel for backward compatibility reasons. As Microsoft warns, enabling all macros can cause "potentially dangerous code" to run. For example, the Quakbot malware (also known as QBOT) is capable of downloading other malware, logging user keystrokes and inserting a backdoor. According to experts, the malware not only tricked users into enabling macros, but also spread with built-in XLM macros that downloaded and executed malicious payload of the second level from a remote server.

«While backwards compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated», - the experts said.

Source: securitylab.ru