Hackers Use Excel Add-Ins as Initial Penetration Vector

Hackers use Excel add-ins

Cisco Talos analysts say that hackers are now using Excel add-ins to infiltrate victims’ systems and networks.

After Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked as Mark Of The Web), attackers had to rethink their attack chains: for example, now hackers are increasingly using Excel add-in files (.XLL) as an initial compromise vector.

According to experts, Office documents distributed using phishing emails and other social engineering remain one of the most popular attack vectors for attackers. Such documents traditionally suggest that victims enable macros to view supposedly harmless content, but in fact activate hidden malware execution in the background.

To address these abuses, earlier this year, Microsoft began blocking VBA macros in Office documents downloaded from the Internet. Although the company admitted that they received negative feedback from users because of this and were even forced to temporarily reverse this decision, as a result, the blocking of VBA macros was still continued.

We also wrote that Hackers use the .NET library for creating malicious Excel files, and also that Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure.

Despite the fact that the blocking only applies to the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have begun experimenting with alternative ways to infect and deploy malware. One such “innovation” is the use of XLL files, which Microsoft describes as “a kind of DLL file that can only be opened in Excel,” the researchers report.

XLL files can be sent via email, and even with normal malware scanning mechanisms in place, users can open them without knowing that such files may contain malicious code.writes Cisco Talos.

Hackers use Excel add-ins

Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.

According to experts, hackers combine add-ons written in C++ with add-ons developed using the free tool Excel-DNA. And if the first such experiments of hackers were noticed a few years ago, then in 2021-2022 such attacks began to develop much more actively.

Hackers use Excel add-ins

The researchers write that the Chinese hack groups APT10 and TA410 (and they started back in 2017), the Russian-speaking group FIN7, which began using add-on files in their campaigns last summer, famous Dridex malware loader and FormBook loader; as well as other major malware families, including AgentTesla, Ransomware Stop, Vidar, Buer Loader, Nanocore, IceID, Arkei, AsyncRat, BazarLoader, and so on are already abusing XLL.

Hackers use Excel add-ins

As more and more users migrate to new versions of Microsoft Office, it is likely that in the future hackers will move away from malicious VBA documents and move to other formats (such as XLL), or rely on exploiting newly discovered vulnerabilities to run malicious code. in the Office application space.the analysts summarize.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *