Macros have been a simple, effective means of spreading malware since the 1990’s, and some hackers still rely on them heavily to ensnare and infect unsuspecting users.
It’s a long standing issue that many companies have attempted to address over the years. Now, it seems that it’s Microsoft’s turn at bat again.
Recently, the Redmond Giant announced a new integration between its AMSI (Antimalware Scan Interface) and Office 365, aimed squarely at delivering a knockout blow to macro-based malware.
Earlier attempts to put a stop to macro abuse focused on Visual Basic Scripts and removing macro-based vulnerabilities from them.
That was effective as far as it went, but it had the unforeseen effect of pushing hackers away from using VBS and toward XLM. Those are of an older macro language that first shipped with Microsoft Excel back in 1992 and is still supported to this day. The new integration paradigm sees AMSI scanning Excel 4.0 XLM macros at runtime, which should (emphasis on should) make it virtually impossible for hackers to exploit them.
As a representative from Microsoft Security Teams explains:
“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cyber criminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.
Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.”
Time will tell how effective this new approach will be. Unfortunately, even if it is wildly successful, it will simply push hackers toward some other easy exploit. Even so, kudos to Microsoft for taking the fight to the hackers.