Microsoft’s decision to block Visual Basic for Applications (VBA) macros by default in Office files downloaded from the Internet has prompted many attackers to improvise attack chains in recent months. rice field.
according to now Cisco TalosAdvanced Persistent Threat (APT) actors, and commodity malware families are increasingly using Excel add-in (.XLL) files as their initial intrusion vector.
Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks remain one of the most popular entry points for criminal groups seeking to execute malicious code.
These documents traditionally urged victims to enable macros that displayed seemingly harmless content, simply activating malware execution covertly in the background.
To combat this misuse, Windows manufacturers have enacted significant changes starting in July 2022. block macros Office files attached to email messages effectively block an important attack vector.
While this lockdown applies only to newer versions of Access, Excel, PowerPoint, Visio, and Word, malicious actors are experimenting with alternative infection vectors to deploy malware.
One such method turned out XLL fileThis is described by Microsoft as “a dynamic-link library (DLL) file type that can only be opened by Excel.”
Cisco Talos researcher Vanja Svajcer said in an analysis published last week:
The cybersecurity firm said the attackers used a mix of native add-ins written in C++ and add-ins developed using a free tool called Excel-DNA. This phenomenon has seen a significant spike since mid-2021 and continues this year.
That said, the first publicly documented exploit of the XLL was in 2017, when China-linked APT10 (aka Stone Panda) attackers allegedly used the technique to inject backdoor payloads into memory. It is said Hollow processing.
Other known hostile groups include TA410 (actors with links to APT10), DoNot Team, FIN7, and Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RATFormBook, IcedID, Vidar Stealer, and Warzone RAT.
Exploitation of the distributed XLL file format Agent Tesla When dridex It was previously highlighted by Palo Alto Networks Unit 42, noting that it “could represent a new trend in the threat landscape.”
“As more and more users adopt new versions of Microsoft Office, attackers are turning away from VBA-based malicious documents to other formats such as XLL, or exploiting newly discovered vulnerabilities. can launch malicious code in the process space of Microsoft Office, an Office application,” Svajcer said.
Malicious Microsoft Publisher macro pushes Ekipa RAT
Ekipa RATIn addition to embedding an XLL Excel add-in, it received an update in November 2022 that leverages Microsoft Publisher macros to drop a remote access Trojan and steal sensitive information.
“Like other Microsoft Office products such as Excel and Word, Publisher files can contain macros that run when they are opened or closed. [of] This file presents an interesting initial attack vector from a threat actor’s perspective.” Trustwave I got it.
Note that Microsoft’s restriction against running macros in files downloaded from the Internet does not apply to Publisher files, making them a potential attack vector.
Trustwave researcher Wojciech Cieslak said: “The authors of this malware have tracked changes in the security industry, such as Microsoft blocking macros from the Internet, and have changed their tactics accordingly.”