Malware using Excel XLAM Excel Macro enabled addins to bypass protections
By Derek Knight | October 27, 2018
We have been noticing a change in the malware delivery pattern with Lokibot (and possibly other malware) over the last few days. Instead of using the more normal Excel file extensions like XLS or XLSX they have started to use .XLAM extensions…
Now in theory this extension should not automatically open or any content should not automatically run on Excel. What is supposed to happen is a prompt to add the file to the excel addins appears & you should have to select the file to add it & Excel then runs the macro inside it.
…
By default protected view is enabled and macros are disabled, UNLESS you or your company have enabled them. If protected view mode is turned off and macros are enabled then opening this malicious word document will infect you, and simply previewing it in windows explorer or your email client might well be enough to infect you.
…
Some versions pretend to have a digital RSA key and say you need to enable editing and Macros to see the content. Do NOT enable Macros or editing under any circumstances.
…
Be aware that there are a lot of dodgy word docs spreading that WILL infect you with no action from you if you are still using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office 2003 and 2007. Many of us have continued to use older versions of word and other office programs, because they are convenient, have the functions and settings we are used to and have never seen a need to update to the latest super-duper version. The risks in using older version are now seriously starting to outweigh the convenience, benefits and cost of keeping an old version going.
Read the full article here
