{"id":93008,"date":"2021-03-03T09:00:54","date_gmt":"2021-03-03T17:00:54","guid":{"rendered":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\/?p=93008"},"modified":"2023-08-10T14:14:15","modified_gmt":"2023-08-10T21:14:15","slug":"xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2021\/03\/03\/xlm-amsi-new-runtime-defense-against-excel-4-0-macro-malware\/","title":{"rendered":"XLM + AMSI: New runtime defense against Excel 4.0 macro malware"},"content":{"rendered":"

We have recently expanded the integration of Antimalware Scan Interface (AMSI<\/a>) with Office 365 to include the runtime scanning of Excel 4.0 (XLM<\/a>) macros, to help antivirus solutions tackle the increase in attacks that use malicious XLM macros. This integration, an example of the many security features released for Microsoft 365 Apps on a regular basis, reflects our commitment to continuously increase protection for Microsoft 365 customers against the latest threats.<\/p>\n

Microsoft Defender Antivirus is using this integration to detect and block XLM-based malware, and we encourage other antivirus products to use this open interface<\/a> to gain better visibility and improve protections against these threats.<\/p>\n

XLM macros is a legacy macro language that was made available to Microsoft Excel in 1992, prior to the introduction of Visual Basic for Applications (VBA<\/a>) in 1993. While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands.<\/p>\n

The AMSI instrumentation for VBA<\/a> has been providing deep visibility into the runtime behavior of VBA macros. Its release in 2018 effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny. Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM.<\/p>\n

Like VBA and many other scripting languages abused by malware, XLM code can be obfuscated relatively easily to conceal the real intent of the macro. For example, attackers can hide URLs or file names of executable files from static inspection through simple strings manipulations. Attackers also take advantage of the way macro code persists within the Excel document\u2014while VBA macros are stored in a dedicated OLE stream (and hence can be easily located and extracted), XLM macros do not exist as a separate, well-defined entity. Rather, each XLM macro statement is a formula within a cell. Extracting a whole XLM macro can become a cumbersome task, requiring a cell-by-cell inspection of the whole document.<\/p>\n

\"Screenshot<\/p>\n

Figure 1. Sample malicious XLM macro<\/em><\/p>\n

In addition, while formulas are typically executed downwards starting from the top, with XLM the macro content can be quite spread out, thanks to control flow statements like RUN<\/em>, CALL<\/em>, or GOTO<\/em>, which allow the switching of execution flow from one column to another. This feature, together with obfuscation, has been abused by attackers to craft documents that could evade static analysis.<\/p>\n

AMSI instrumentation for Excel 4.0 (XLM) macros<\/h2>\n

AMSI is an open interface that allows any application to request the scanning of any data at any time. In a nutshell, this technology provides applications the capability to interface with the installed antivirus solution in order to inspect and scan potentially dangerous data (e.g., a file downloaded from a remote location, or data generated dynamically by an application). Microsoft already utilizes this technology in various applications to detect malicious macros, script-based malware, and other threats:<\/p>\n