Microsoft may have macros are blocked from running by default in its Office suite, but researchers say there’s a workaround.
According to a new report from Cisco Talos, a few months after the ban was introduced, a specific solution is increasingly being adopted by the cybercriminal community.
The group claims cybercriminals are increasingly using XLL files (as opposed to XLS and XLSX) to send malicious code to their targets. final point (opens in a new tab).
The researchers explain that XLL files are “a type of dynamic-link library (DLL) file that can only be opened with Excel”. In other words, with XLL files, Microsoft Excel Spreadsheets can take advantage of additional functionality that comes from third-party applications.
While weaponizing XLL files is nothing new (it is said that the first samples were reported as early as 2017), these files were rarely used until Microsoft decided to block the running of macros. in files downloaded from the internet. Now, as of 2021, more lines of malware have begun to implement the workaround.
“For quite a while after [mid-2017]the use of XLL files is sporadic and it doesn’t increase significantly until late 2021, when commodity malware families like Dridex and Formbook start using it,” said Vanja Svajcer, outreach researcher Cisco Talos community noted in the report.
“Currently, a significant number of continuously advanced threat actors and commodity malware strains are using XLL as an infection mediator, and the number continues to grow.”
Among the groups using the XLL file was the Chinese threat agent APT10 (AKA Kali), which used it to distribute the Anel Backdoor. Then there’s Cicada (AKA Stone Panda, TA410), a group that is said to be “loosely affiliated” with APT10, as well as DoNot and Fin7.
Apparently, threat actors used XLL files to distribute different lines of malware, such as Warzone RAT or Ducktail. Businesses are warned that the number of such threats will increase in the future.
Via: Registration (opens in a new tab)