Libraesva, a company specializing in email security, is raising the level ofalert on a new trend of cyber attacksthat are triggered on users’ PCs by enabling Excel macros.
Libraesva, a company specializing in email security, raises the alert level on a new trend of cyber attacks that are triggered on users’ PCs by enabling Excel macros. âIt is not new to see Office suite features used as access vectors for criminals, but our recent analyses are encountering a growing trend of hackers inserting malicious code specifically in one of the oldest Excel features – the Macro-Formula also known as XLM Macro. It is also concerning that this malicious code is not intercepted by 90% of antivirus programsâ declares Rodolfo Saccani, R&D Security Manager of the company.
Excel is a universally known tool from the Office suite, widely used in private and especially business settings for calculations, forecasting, and budgets. As Microsoft’s solutions have improved over time, some features from initial versions have been maintained and are therefore still supported today. These are now becoming of interest to attackers who use them as access vectors to users’ IT systems and thus for propagating malicious campaigns.
The Macro-Formula feature present in all Excel versions is used to deliver a dropper capable of hosting various types of malware, including banking trojans, viruses, etc., making it adaptable to achieve ever-different malicious intentions. From a technical standpoint, when the user activates the âENABLE MACROSâ prompt, the malicious code creates a formula by collecting data from many different cells and performing transformations in the code writing that are difficult to identify. It then applies the formula using the FORMULA.FILL declaration.
More than the specific type of malware, it is the attack pattern that Libraesva investigates, assuming that no type of execution should ever be allowed for documents delivered via email, thus blocking any suspicion in the QuickSand sandbox for analysis.
This attack via Excel phenomenon began to appear at the beginning of May and has continued to manifest non-stop since then. âIn EsvaLabs, we noticed a change in attack methods between April and May: in the first month, hackers preferred to insert code into droppers that was more easily recognizable by antivirus filters. In this month of May, the contents of these âTrojan horsesâ are carrying ever-new and diversified forms of attack,â explains the manager. Considering that the malicious code is triggered by the user at the moment they allow Macros to be enabled in Excel, it is easy to understand why even the most common security filters fail to immediately intercept the potential threat, allowing emails containing it to pass through and reach the end user’s inbox.
âEmails remain the preferred vector for cybercriminals to undermine the security and reputation of companies, credit and banking institutions, and private individuals. Evidence of this can be seen in the many campaigns we intercept daily in EsvaLabs, not least the massive phishing campaign that affected Italian users during these months of Covid-19 lockdown , in which this topic was used by attackers to induce users to open attachments or links in seemingly harmless emails, and as one can imagine, of high informational interest, to achieve their goals of stealing credentials and personal data.â commentsPaolo Frizzi, CEO of Libraesva. “It is important to renew once more the invitation to pay the utmost attentionto communications received via email, to their form and content, particularly to attachments even when they come from known senders. The evidence indeed shows how unfortunately the first ‘partners’ of the attackers are ourselves, individual users of email, who with a simple click â in this case activating a Macro-Formula in Excel â detonate the bomb against our own systems without knowing it“.
Pubblicato in Guides & Tutorials
Be the first to comment