By Jon Armer, Product Security Engineer R&D
In mid-April, we observed a malicious spam (malspam) campaign using Microsoft Excel documents to deliver Zloader malware via Excel 4.0 macros, also known as XLM macros. Excel 4.0 macros are the precursor to VBA macros and contain similar functionality. Threat actors use Excel 4.0 macros due to their:
- low rate of antivirus software detection,
- ability to obfuscate commands through dynamic code, and
- capability to call API functions to download files and run CMD commands.
Unlike later VBA macros, Excel stores XLM macros within cells in its worksheets. Victims are unable to review the macros because the threat actors have the worksheet set to “very hidden,” a built-in feature of Microsoft Office that prevents recipients from viewing the worksheet from within Excel.
The emails that we observed in this campaign used purchasing/financial themes with the following subject lines:
- Case <six digits>: invoice <six digits> is blocked
- Compensation for invoice <six digits> is not received
- Replicated_sent_invoice_#<six digits>
Infoblox’s full report on this instance of the malware will be available soon on our Threat Intelligence Reports page.