Microsoft’s resolution to dam Visible Primary for Purposes (VBA) macros by default for Workplace recordsdata downloaded from the web has led many menace actors to improvise their assault chains in current months.
Now based on Cisco Talos, superior persistent menace (APT) actors and commodity malware households alike are more and more utilizing Excel add-in (.XLL) recordsdata as an preliminary intrusion vector.
Weaponized Workplace paperwork delivered through spear-phishing emails and different social engineering assaults have remained one of many broadly used entry factors for felony teams trying to execute malicious code.
These paperwork historically immediate the victims to allow macros to view seemingly innocuous content material, solely to activate the execution of malware stealthily within the background.
To counter this misuse, the Home windows maker enacted a vital change beginning in July 2022 that blocks macros in Workplace recordsdata connected to e mail messages, successfully severing a vital assault vector.
Whereas this blockade solely applies to new variations of Entry, Excel, PowerPoint, Visio, and Phrase, dangerous actors have been experimenting with different an infection routes to deploy malware.
One such technique seems to be XLL files, which is described by Microsoft as a “kind of dynamic hyperlink library (DLL) file that may solely be opened by Excel.”
“XLL recordsdata may be despatched by e mail, and even with the same old anti-malware scanning measures, customers could possibly open them not realizing that they might comprise malicious code,” Cisco Talos researcher Vanja Svajcer stated in an evaluation printed final week.
The cybersecurity agency stated menace actors are using a mixture of native add-ins written in C++ in addition to these developed utilizing a free software known as Excel-DNA, a phenomenon that has witnessed a major spike since mid-2021 and continued to this 12 months.
That stated, the primary publicly documented malicious use of XLL is claimed to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the method to inject its backdoor payload into reminiscence through process hollowing.
Different identified adversarial collectives embrace TA410 (an actor with hyperlinks to APT10), DoNot Staff, FIN7, in addition to commodity malware households similar to Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was beforehand highlighted by Palo Alto Networks Unit 42, noting that it “might point out a brand new development within the menace panorama.”
“As increasingly more customers undertake new variations of Microsoft Workplace, it’s probably that menace actors will flip away from VBA-based malicious paperwork to different codecs similar to XLLs or depend on exploiting newly found vulnerabilities to launch malicious code within the course of area of Workplace functions,” Svajcer stated.
Malicious Microsoft Writer macros push Ekipa RAT
Ekipa RAT, moreover incorporating XLL Excel add-ins, has additionally acquired an replace in November 2022 that enables it to benefit from Microsoft Writer macros to drop the distant entry trojan and steal delicate data.
“Simply as with different Microsoft workplace merchandise, like Excel or Phrase, Writer recordsdata can comprise macros that may execute upon the opening or closing [of] the file, which makes them fascinating preliminary assault vectors from the menace actor’s standpoint,” Trustwave noted.
It is price noting that Microsoft’s restrictions to impede macros from executing in recordsdata downloaded from the web doesn’t lengthen to Writer recordsdata, making them a possible avenue for assaults.
“The Ekipa RAT is a good instance of how menace actors are constantly altering their strategies to remain forward of the defenders,” Trustwave researcher Wojciech Cieslak stated. “The creators of this malware are monitoring modifications within the safety trade, like blocking macros from the web by Microsoft, and shifting their techniques accordingly.”
