Black Hat 2021 + Def Con 29 – New Research on Excel 4.0 Macros

August 12, 2021 | Charles Everette

Two of the year’s most significant cybersecurity conferences were held this past week in Las Vegas, making them the first in-person cybersecurity events in nearly two years. For someone who has been an active member of the cyber community for more than 20 years, the opportunity to re-engage with peers face-to-face and connect as a community was sorely missed and long overdue.

The energy and content sharing was incredible despite a smaller turnout and we were all reminded of the extreme passion and esprit de corps that is unique to the cyber world. The collaboration and shared knowledge that comes from our live events always re-energizes us as we see what is possible in the ongoing fight against hackers and bad actors. Cybersecurity is not just about securing “your” network, protecting “your” environment, and testing and securing “your” applications. It’s about creating a safer, more resilient community together.

Deep Instinct has taken this approach to heart since our founding in 2015 and we were proud to share research on a new, evolving threat vector involving legacy Excel 4.0 macros and their use in threat evasion at Def Con. The research, which was presented by Tal Leibovich, head of threat research at Deep Instinct, was covered by TechRepublic as well – a terrific article and testament to the expertise of our entire research team.

Excel 4.0 Macro (XL4) is a legacy scripting language supported in Microsoft Office since 1992. Its replacement is the more advanced scripting language, VBA. However, XL4 is still supported for backward compatibility reasons, leaving a security vulnerability in place for years. We’ve seen a significant rise in malware utilizing XL4 capabilities in just the past year and a half. These campaigns have started becoming ever more sophisticated and prevalent.

Deep Instinct threat researchers reported that these XL4-based threats utilize functions such as auto-open, auto-close, default password protection, and even shared findings of advanced obfuscation techniques, such as decoding the macro code in run-time. While some of these techniques are known, the majority of them are newly discovered based on research by Deep Instinct’s threat teams.

Our team also showcased how the Deep Instinct Prevention Platform can identify and prevent these new malicious XL4 strains using our Anomaly Detection algorithms. Even if this malware family evolves and modifies its techniques, Deep instinct will adapt and stop these threats, providing continuous prevention capabilities that no other security solution on the market today can match.

The threat landscape has grown exponentially over the past several years – and will continue to grow and change in the years to come. As the boundaries of your organization become less defined, with data stored and sent through cloud networks and across your hybrid environment and endpoints now spread around the globe with people working at home, in offices and everywhere in between, security solutions will have to continue to improve to protect across an ever-larger footprint.

If you’d like to see how Deep Instinct can protect you from XL4-based threats, please request a demo.