Cisco Talos analysts say that hackers are now using Excel add-ins to infiltrate victims’ systems and networks.
After Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked as Mark Of The Web), attackers had to rethink their attack chains: for example, now hackers are increasingly using Excel add-in files (.XLL) as an initial compromise vector.
According to experts, Office documents distributed using phishing emails and other social engineering remain one of the most popular attack vectors for attackers. Such documents traditionally suggest that victims enable macros to view supposedly harmless content, but in fact activate hidden malware execution in the background.
To address these abuses, earlier this year, Microsoft began blocking VBA macros in Office documents downloaded from the Internet. Although the company admitted that they received negative feedback from users because of this and were even forced to temporarily reverse this decision, as a result, the blocking of VBA macros was still continued.
We also wrote that Hackers use the .NET library for creating malicious Excel files, and also that Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure.
Despite the fact that the blocking only applies to the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have begun experimenting with alternative ways to infect and deploy malware. One such “innovation” is the use of XLL files, which Microsoft describes as “a kind of DLL file that can only be opened in Excel,” the researchers report.
Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.
According to experts, hackers combine add-ons written in C++ with add-ons developed using the free tool Excel-DNA. And if the first such experiments of hackers were noticed a few years ago, then in 2021-2022 such attacks began to develop much more actively.
The researchers write that the Chinese hack groups APT10 and TA410 (and they started back in 2017), the Russian-speaking group FIN7, which began using add-on files in their campaigns last summer, famous Dridex malware loader and FormBook loader; as well as other major malware families, including AgentTesla, Ransomware Stop, Vidar, Buer Loader, Nanocore, IceID, Arkei, AsyncRat, BazarLoader, and so on are already abusing XLL.