Microsoft’s resolution to dam Visible Fundamental for Functions (VBA) macros by default for Workplace recordsdata downloaded from the Web has led many risk actors to improvise their assault chains in current months.
Now, in line with Cisco Talos, Superior Persistent Menace (APT) actors and commodity malware households are more and more utilizing Excel Add-in (.XLL) recordsdata as an preliminary intrusion vector.
Weaponized Workplace paperwork delivered by way of phishing emails and different social engineering assaults have remained one of the vital extensively used entry factors for prison teams searching for to execute malicious code.
These paperwork historically ask victims to allow macros to view seemingly innocuous content material, solely to set off malware to run stealthily within the background.
To counter this misuse, the maker of Home windows enacted a vital change beginning in July 2022 that blocks macros in Workplace recordsdata hooked up to e-mail messages, successfully slicing off a vital assault vector.
Whereas this block solely applies to newer variations of Entry, Excel, PowerPoint, Visio, and Phrase, dangerous actors have been experimenting with alternate an infection paths to deploy malware.
One such technique occurs to be XLL recordsdata, which Microsoft describes as a “kind of Dynamic Hyperlink Library (DLL) file that solely Excel can open.”
“XLL recordsdata could be despatched by way of e-mail, and even with the standard anti-malware scanning measures, customers can open them with out figuring out that they might include malicious code,” Cisco Talos researcher Vanja Svajcer mentioned in an evaluation revealed final week. cross.
The cybersecurity agency mentioned that risk actors are using a mixture of native plugins written in C++, in addition to these developed with a free software referred to as Excel-DNA, a phenomenon that has seen a big improve since mid-2021 and continued. till this 12 months.
That mentioned, the primary publicly documented malicious use of XLL is alleged to have occurred in 2017 when China-linked actor APT10 (aka Stone Panda) used the method to inject its backdoor payload into reminiscence by way of reminiscence flushing. course of.
Different identified adversary collectives embody TA410 (an actor with hyperlinks to APT10), DoNot Group, FIN7, in addition to commodity malware households resembling Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer and Conflict zone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was beforehand highlighted by Palo Alto Networks Unit 42, noting that it “might point out a brand new pattern within the risk panorama.”
“As an increasing number of customers undertake new variations of Microsoft Workplace, risk actors are prone to transfer away from malicious VBA-based paperwork to different codecs like XLL or depend on exploiting newly found vulnerabilities to drop code malicious within the Workplace software course of house,” Svajcer mentioned.
Malicious Microsoft Writer macros push Ekipa RAT
Ekipa RAT, along with incorporating XLL Excel plugins, has additionally obtained an replace in November 2022 that permits it to make the most of Microsoft Writer macros to drop the Distant Entry Trojan and steal delicate info.
“As with different Microsoft workplace merchandise, resembling Excel or Phrase, Writer recordsdata might include macros that might be executed while you open or shut [of] file, making them fascinating preliminary assault vectors from a risk actor’s viewpoint,” mentioned Trustwave.
It is price noting that Microsoft’s restrictions on stopping macros from working on recordsdata downloaded from the Web don’t prolong to Writer recordsdata, making them a possible avenue for assaults.
“The Ekipa RAT is a good instance of how risk actors regularly change their methods to get forward of defenders,” mentioned Trustwave researcher Wojciech Cieslak. “The creators of this malware are monitoring adjustments within the safety business, resembling Microsoft’s blocking of Web macros, and altering their techniques accordingly.”
APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector