Cybercriminals abuse Excel 4.0 macro to distribute malware as ZLoader and Quakbot. Security researchers have discovered 90% of nearly 160,000 Excel 4.0 documents analyzed between November 2020 and March 2021were classified as malicious or suspicious.
According to ReversingLabs researchers,
The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules
Microsoft Excel offers a legacy feature for Excel 4.0 macros, the precursor to Visual Basic for Applications(VBA) for backward compatibility. In a support document, Microsoft has warned users that enabling all macros can lead to potentially executing the dangerous code.
Quakbot or QBOT discovered in 2007, has been a notorious banking trojan with the capabilities to steal banking credentials and other financial information. It has been constantly evolving since then and gaining worm-like propagation features. Variants of Quakbot have been able to dump malware payloads, log user keystrokes and also create a backdoor to compromised machines, generally it spreads via abused Office documents.
ReversingLabs in its documentation mentions, the malware is able to convince victims into enabling macros with lures. It can also be embedded with files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. They also studied a sample, a Base 64 encoded payload in one of the sheets. It attempted to download additional malware from a sketchy URL.
The researchers further said, though backward compatibility is important, it should have a life expectancy keeping security in mind. The best solution would be if this feature was eliminated at this point of time. While doing so Microsoft should consider the cost of maintaining 30-year-old macros, weighed against the security risks while using the outdated technology.