Microsoft’s decision to block Visual Basic for Applications (VBA) macros by default in Office files downloaded from the Internet has prompted many attackers to improvise attack chains in recent months.
Today, according to Cisco Talo, advanced persistent threat (APT) actors and the commodity malware family are increasingly using Excel extension files (.XLL) as their primary intrusion vector.
Weaponized Office documents delivered via phishing emails and other social engineering attacks are one of the most popular entry points for criminal groups looking to execute malicious code.
These documents traditionally required victims to enable macros that displayed seemingly innocuous content, simply enabling the malware to run stealthily in the background.
To combat this exploit, as of July 2022, Windows manufacturers implemented significant changes to block macros in Office files attached to email messages, effectively blocking a key attack vector.
While this lock only applies to newer versions of Access, Excel, PowerPoint, Visio, and Word, malicious actors are experimenting with alternative infection vectors to deploy malware.
One such method seems to be an XLL file. Microsoft describes it as “a type of dynamic link library (DLL) file that can only be opened by Excel.
Cisco Talo researcher Vanja Swajser said in an analysis published last week:
The cybersecurity firm said the attackers used a combination of native plug-ins written in C++ and plug-ins built using a free tool called Excel-DNA. This phenomenon has increased significantly since the middle of 2021 and continues this year.
However, the first publicly documented exploit of XLL was in 2017, when the China-linked APT10 attacker (aka Stone Panda) used the technique to open a backdoor through a process hole. It is said to have stored the cargo.
Since then, many other hostile groups have left their mark, including TA410 (an attacker with links to APT10), DoNot Team, FIN7, and commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, and Ekipa. RAT, FormBook, IcedID, Vidar Stealer and Warzone RAT.
The use of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, which noted that it “could represent a new trend in the threat landscape.” .
As more and more users use new versions of Microsoft Office, attackers switch from malicious VBA-based documents to other formats such as XLL or exploit newly discovered vulnerabilities. They can launch malicious code in the Microsoft Office process space, an office. Svajcer said.
Malicious macro exploits Microsoft Publisher Ekipa RAT
In addition to embedding an XLL Excel plugin, Ekipa RAT will receive an update in November 2022 to remove a remote access trojan using Microsoft Publisher macros to steal sensitive information.
Trustwave said: “As with other Microsoft Office products such as Excel and Word, Publisher files can contain macros that run when the file is opened or closed. This is an attack vector.” I received.
Note that Microsoft’s restriction to prevent running macros in files downloaded from the Internet does not apply to Publisher files, and attackers can exploit this method for phishing campaigns.
Trustwave researcher Wojciech Cieslak said: “The authors of this malware have tracked changes in the security industry, such as Microsoft blocking macros from the Internet, and changed their tactics accordingly.”