Evolution of Excel 4.0 macro weaponization

James Haughom (VMware), Stefano Ortolani (VMware) & Baibhav Singh (VMware)
partner message

ANY.RUN - Interactive malware analysis sandbox

http://any.run/

Get fast results in real-time! Intuitive interface. Convenient for any level analysts.

Join for free and start your malware hunting!

partner message

Avira Cloud Sandbox API. Completely private, unlimited-scale, automated malware analysis service

https://oem.avira.com/en/solutions/cloud-sandbox-api

Avira’s Cloud Sandbox API is built to ensure data privacy.

Receive detailed, file-specific threat intelligence reports containing actionable intelligence.

Supports MITRE ATT&CK™ framework.

partner message

Do APT Mercenary Groups Pose Real Threat to Companies?

https://businessresources.bitdefender.com/apt-as-a-service-webinar

Learn about the recent Bitdefender investigation of a new attack attributed to a sophisticated actor offering advanced-persistent-threats-as-a-service.

Access the investigation

partner message

Be a part of the cyber resilience story - explore careers at

https://careers.opentext.com/

Join the cybersecurity and data protection team at Carbonite + Webroot, OpenText companies.

partner message

We don’t just talk about sharing. We do it every day

https://www.cyberthreatalliance.org/our-sharing-model/

Find out more about how threat intelligence sharing and collaboration through the Cyber Threat Alliance can function as a force multiplier to improve defenses across the ecosystem.

partner message

Map Malicious Infrastructures with Pure Signal™ Intelligence

https://partners.team-cymru.com/pure-signal-trial

Elite analyst teams use Team Cymru’s Pure Signal platform to access 50+ data types, including global network flow, PDNS, malware and more.

Start your 2-week trial now!

partner message

What is cyber threat intelligence (CTI) and how is it used?

Join the VB2020 Threat Intelligence Practitioners’ Summit (TIPS)

Join the VB2020 Threat Intelligence Practitioners’ Summit, sponsored by the Cyber Threat Alliance,

to hear from leading industry voices on how CTI sharing can function as a force multiplier to strengthen defenses across the ecosystem.

partner message

Kaspersky Threat Intelligence Portal - find cyberthreats in files, URLs, IPs and domains

https://opentip.kaspersky.com/

Know which alerts or incidents pose real threats, and prioritize them fast and effectively based on impact and risk levels.

partner message

No-Cost Threat Detection for ISPs and Hosting Providers

https://partners.team-cymru.com/nimbus-threat-monitor

Partner with Team Cymru and get near-real-time threat detection, powered by our world-class IP Reputation data.

Join us now!

partner message

Outsource your Unwanted Software/PUA Work for Free

https://appesteem.com/avs

AppEsteem’s feeds sort out the good apps from the Deceptors.

Our criteria are widely accepted. We’ll help with your disputes.

All for Free. Giving you more time to fight real malware.

partner message

Do you want to know how IT security products score in independent tests?

https://www.av-comparatives.org/enterprise/latest-tests/

AV-Comparatives is an ISO certified independent organization offering systematic testing that checks whether security software lives up to its promises.

Results are available for free!

partner message

Defeating Application Fraud - Learn How

https://www.shapesecurity.com/solutions

We protect more accounts from fraud than everyone else in the world combined.

Shape Security is now part of F5 (www.f5.com)

partner message

30+ years of experience in the anti-malware industry

www.virusbulletin.com

Virus Bulletin is so much more than just a great conference.

Check out our website to see what more we have to offer.

partner message

DNSDB®: The DNS Super Power for Security Teams

https://www.farsightsecurity.com/get-started-guide/

Farsight Security DNSDB®: the world's largest real-time and historical database of DNS resolutions.

Get your free DNSDB API key and use it in our newly updated web GUI, DNSDB Scout and your own environments.

Contextualize everything DNS related with one API key - DNSDB.

partner message

Tired of home office and in urgent need of some networking?

https://www.amtso.org/newsletter/

Join the AMTSO community and meet security vendors, testers, journalists, and researchers to discuss cybersecurity trends, tests and standards!

Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catchup and detect them properly. This technique provides attackers with a simple and reliable method to gain a foothold in a target network, as it simply represents an abuse of a legitimate feature of Excel, and does not rely on any vulnerability or exploit. For many organizations, blacklisting isn’t a viable solution, and any signatures to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.

As this is a 30-year-old feature that has only been discovered and exploited en masse by attackers in the last year, many security vendors do not currently have detection mechanisms in place to trigger on these samples, and building reliable signatures for this type of attack is not a small task. The VMware NSBU Threat Intelligence Team has observed thousands of samples leveraging this technique, and has been monitoring and tracking trends for the last 6+ months. Intercepting these samples has provided valuable data to build statistics, identify trends, find outliers, and track campaigns. We have been able to cluster samples into distinct waves, which clearly display how this technique has evolved over time to become more sophisticated and more evasive.

As XL4 macros represent somewhat 'uncharted territory', malware authors and security researchers are making new discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. The techniques employed by these attackers include ways to evade automated sandbox analysis and signature-based detection, as well as hands-on analysis performed by malware analysts and reverse engineers. As previously mentioned, these techniques appear to surface in waves, with each new wave introducing new techniques, building on the previous wave or cluster. Techniques used in the first wave of samples we observed in February are still being leveraged in samples being discovered today. In this presentation, we describe each wave and cluster in detail, breaking down every new technique discovered, and explaining why each is significant, effective, or ineffective.
James Haughom
VMware James Haughom Jr is a reverse engineer in VMware’s NSBU Anti-Malware Group, where he focuses on reversing malware, building detections, and performing threat research. Outside of RE, James has a diverse background in cybersecurity, ranging from digital forensics and incident response, to SOC, red teaming, and tool development. James has had the opportunity to work on high-profile investigations and intrusions for both federal agencies and large corporations. An avid contributor to the infosec community, James has presented at regional conferences, conducted trainings for aspiring malware analysts/reverse engineers, and operated malware research blogs for the past three years. James’ passion is for true threat research - deep-diving into complex and sophisticated threats to gain a deep understanding of how the mechanics and inner workings of advanced threats operate. Forever a student, James continues to learn and expand his skillset daily, lately focusing on exploit development, reversing firmware and ARM binaries, and building machine learning models for malware detection and classification.
Stefano Ortolani
VMware Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. He spends his time researching bespoke approaches to investigate and classify cyber tradecraft, and making sure none are left uncharted. A contributor to product development, he is also a regular speaker at technical conferences. Prior to that he was part of the Global Research and Analysis Team at Kaspersky, in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies, as well as conducting research in the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam.
Baibhav Singh
VMware Baibhav Singh is currently employed at VMware. He works on NSX security. He has more than 15 years of experience in the security industry. He has authored various books, presented research at top security conferences like BlackHat USA, and holds various patents in the areas of vulnerability analysis, reverse engineering, malware analysis, and intrusion prevention systems. He was formerly part of the security research team of McAfee, where he worked as a research scientist. He has extensive experience in OS kernel layer with deep knowledge in advanced vulnerability exploitation and detection, including firmware security, and virtualization technology. He had also worked for Samsung Research America, where he developed insight on ARM devices, TEE and secure boot.
arrow left Back

Evolution of Excel 4.0 macro weaponization

James Haughom (VMware), Stefano Ortolani (VMware) & Baibhav Singh (VMware)
Excel 4.0 (XL4) macros are becoming increasingly popular for attackers, as security vendors struggle to play catchup and detect them properly. This technique provides attackers with a simple and reliable method to gain a foothold in a target network, as it simply represents an abuse of a legitimate feature of Excel, and does not rely on any vulnerability or exploit. For many organizations, blacklisting isn’t a viable solution, and any signatures to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.

As this is a 30-year-old feature that has only been discovered and exploited en masse by attackers in the last year, many security vendors do not currently have detection mechanisms in place to trigger on these samples, and building reliable signatures for this type of attack is not a small task. The VMware NSBU Threat Intelligence Team has observed thousands of samples leveraging this technique, and has been monitoring and tracking trends for the last 6+ months. Intercepting these samples has provided valuable data to build statistics, identify trends, find outliers, and track campaigns. We have been able to cluster samples into distinct waves, which clearly display how this technique has evolved over time to become more sophisticated and more evasive.

As XL4 macros represent somewhat 'uncharted territory', malware authors and security researchers are making new discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. The techniques employed by these attackers include ways to evade automated sandbox analysis and signature-based detection, as well as hands-on analysis performed by malware analysts and reverse engineers. As previously mentioned, these techniques appear to surface in waves, with each new wave introducing new techniques, building on the previous wave or cluster. Techniques used in the first wave of samples we observed in February are still being leveraged in samples being discovered today. In this presentation, we describe each wave and cluster in detail, breaking down every new technique discovered, and explaining why each is significant, effective, or ineffective.
James Haughom
VMware James Haughom Jr is a reverse engineer in VMware’s NSBU Anti-Malware Group, where he focuses on reversing malware, building detections, and performing threat research. Outside of RE, James has a diverse background in cybersecurity, ranging from digital forensics and incident response, to SOC, red teaming, and tool development. James has had the opportunity to work on high-profile investigations and intrusions for both federal agencies and large corporations. An avid contributor to the infosec community, James has presented at regional conferences, conducted trainings for aspiring malware analysts/reverse engineers, and operated malware research blogs for the past three years. James’ passion is for true threat research - deep-diving into complex and sophisticated threats to gain a deep understanding of how the mechanics and inner workings of advanced threats operate. Forever a student, James continues to learn and expand his skillset daily, lately focusing on exploit development, reversing firmware and ARM binaries, and building machine learning models for malware detection and classification.
Stefano Ortolani
VMware Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. He spends his time researching bespoke approaches to investigate and classify cyber tradecraft, and making sure none are left uncharted. A contributor to product development, he is also a regular speaker at technical conferences. Prior to that he was part of the Global Research and Analysis Team at Kaspersky, in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies, as well as conducting research in the global threat landscape. He received his Ph.D. in computer science from VU University Amsterdam.
Baibhav Singh
VMware Baibhav Singh is currently employed at VMware. He works on NSX security. He has more than 15 years of experience in the security industry. He has authored various books, presented research at top security conferences like BlackHat USA, and holds various patents in the areas of vulnerability analysis, reverse engineering, malware analysis, and intrusion prevention systems. He was formerly part of the security research team of McAfee, where he worked as a research scientist. He has extensive experience in OS kernel layer with deep knowledge in advanced vulnerability exploitation and detection, including firmware security, and virtualization technology. He had also worked for Samsung Research America, where he developed insight on ARM devices, TEE and secure boot.