Hackers Update Age-Old Excel 4.0 Macro Attack

 Basic terminologies used in the article: 

  1. XLSXLS is a file extension for a spreadsheet file format created by Microsoft for use with MicrosoftExce 
  2. MACRO=EXCEL MACRO is a record and playback tool that simply records your Excel steps and the macro will play it back as many times as you want. It’s a type of shell capable of running commands.
  3. Burpsuite= Burp Suite is an integrated platform for performing security testing of web applications. 
  4. Payload: payload refers to the component of a computer virus that executes a malicious activity 

The Context: 

Microsoft Excel is the world’s leading data visualization and analysis tool has been exploited by hackers. Excel files are normally encrypted by Microsoft Enhanced Cryptographic Provider v1.0.During this attack, the intruder sends a mail containing the XLS spreadsheet file that may have relative data depending on the victim’s profile. 

Intruders have enhanced the age-old Excel malware attack technique with a new password-less twist. Researchers have identified a new method that no longer requires victims to enter a password to open a danger document, more readily exposing them to potential malware infection. 

According to Trustwave researcher Diana Lopera, in a blog post outlining the discovery posted Friday explains, “Password protected documents can only be opened with the correct password as this is the key needed in the decryption process. Excel first attempts to open a password protected Excel file using a default password VelvetSweatshop in read-only mode. Hence, the updated malware attack required no password input from the user nor was a warning been feasible from the application prompted. The content of the XLS files was immediately displayed. 

The logic behind the scene is, a password-protected Excel document is sent via E-mail encrypted using Microsoft Enhanced Cryptographic Provider v1.0. The message body contains a password that attackers use to tempt to target and manipulates the victim to open the Excel document. The encryption layer often allows malicious email to slip past email defenses. The document itself contains Excel 4.0 Macro sheets – one of which inherits a malicious macro. The macro will download a binary from a compromised site, save it on disk under C drive, and execute them to get the highest system privilege(ROOT). 

(Once the system is compromised then, your personal data let it be from your government ID to your bank account pin, every single data is exposed to the intruder) 

pic 2 1

How to identify the attack? 

My methodology: 

Use a network interceptor tool BURPSUITE. Basically, Burpsuite establishes a proxy network connection between your web browser and the webserver. All your web requests are captured by the tool which later on can be used to find and exploit security vulnerabilities. 

Whenever Macro tries to execute the malicious code, the burp suite immediately lets you know the web request being forwarded to the webserver which later on can be dropped to stop the attack. 

How the attack takes place? 

So basically, hackers need to get root access to the victim’s computer right! 

Hackers bind the payload with the Excel Macro, that payload will be a reverse TCP shell which grants (RCE) remote code execution to the file. Normally that shell consists of malicious code that exploits the whole system. The payload binds with a 033ventdata.exe executable file, which is barely identified by the antivirus or windows defender. 

 Basically, there are two types of shells:

  1. Reverse shell: The victim connects to the intruder.
  1. Bind Shell: Intruder connects to the victim.

 {In addition, because Excel 4.0 macros are stored in the Workbook OLE stream in Excel 97-2003 format (.xls, mixed binary file format), it also makes it difficult for many antivirus software to decompose. and discover Excel 4.0 macros.} 

pic 3

How to mitigate the attack? 

As with the growing number of computer trojans and malware, use the following tips to protect your computer: 

  • Install updates to your computer security system and regularly scan your files.
  • Make sure you update your operating system to the latest version available in the market.Eg, WINDOWS 10 and other LINUX distros.
  • Use digital signatures. They identify download sources. That way, you can be sure the files you’re downloading and running are not risky. 
  • Wisely choose an antivirus software, they will be the backbone of your support system.
  • Do not ever use any patched/modified software, they may lure you with there free price tag.

(Apart from these, never trust on any unknown mail consisting of any file in it. They may have a malicious file that could trigger your System.)


- Advertisement -

Prashant Singh
Prashant Singhhttps://www.hackthebow.com
Prashant is a student of Computer Science and Engineering at NIT Allahabad. He is also a web pentester and cybersecurity analyst. He may be an introvert and sociable person at the same time. He loves meeting new people and he is in a journey to explore himself. Currently working as a content writer at BLARROW.TECH.

- Advertisement -

Latest articles

Related articles