Excel 4.0 macros are a 30-year-old feature of Microsoft that has been gaining popularity among malware authors over the last year. This type of macro code is currently being weaponized by threats to deliver additional, more persistent malware.

Similar to the more modern VBA macros, this technique is effective because Excel 4.0 macros are a component of legitimate Excel functionality. Their misuse will likely continue since they won't be disabled, are used regularly for benign business purposes.

Read more about the Macrosheet Evolution!

Latest InQuest™ Blog Posts

A Phishing TTP

Posted on 2020-07-09 by Josiah Smith

A common tactic seen used in Phishing campaigns today is to embed the phish within Google's Firebase Cloud Storage platform called Firebase. Follow along with this workflow to analyze some phishing lures.

Tale of a Polished Carrier

Posted on 2020-07-27 by Josiah Smith

While we come across fresh evasive document carriers on a regular basis, it's not every day we see one with great polish. On July 20th, we broke down the individual components of a malicious Office document and drove some collaboration within the Twitterverse.

InQuest™ Labs Research Spotlight

VBA-Stendhal

VBA-Stendhal for Red Teams: Inject Encrypted Commands Into EMF Shapes for C2 In VBA / Office Malware

CFR - Another Java Decompiler

CFR will decompile modern Java features - including much of Java 9, 12 & 14. It'll even attempt turning class files from other JVM languages back into java.

capa

capa is the FLARE team’s newest open-source tool for analyzing malicious programs. The tool provides a framework for the community to encode, recognize, and share behaviors seen in malware.

Global Security Events

Twitter says hackers downloaded the data of eight users in Wednesday's hack

Twitter has provided another update in its investigation into the security incident when a group of hackers breached its backend and tweeted a cryptocurrency scam on behalf of high-profile and verified accounts.

SIGRed – Resolving Your Way into Domain Admin

SIGRed (CVE-2020-1350) is a wormable, critical vulnerability (CVSS base score of 10.0) in the Windows DNS server that affects Windows Server versions 2003 to 2019 and can be triggered by a malicious DNS response.

There’s a reason your inbox has more malicious spam—Emotet is back

Emotet, the world’s most costly and destructive botnet, returned from a five-month hiatus on Friday with a blast of malicious spam aimed at spreading a backdoor that installs ransomware, bank-fraud trojans, and other nasty malware.

Useful Links

Support

Social

Twitter

GitHub

InQuest™ Insider - Your monthly resource for the latest in cyber security news, trends, tips and tools. Subscribe here.

Unsubscribe here.