Microsoft’s choice to dam Visible Fundamental for Functions (VBA) macros by default for Workplace information downloaded from the Web has led many menace actors to improvise their assault chains in current months.
Now, based on Cisco Talos, Superior Persistent Risk (APT) actors and commodity malware households are more and more utilizing Excel Add-in (.XLL) information as an preliminary intrusion vector.
Weaponized Workplace paperwork delivered by way of phishing emails and different social engineering assaults have remained one of the vital broadly used entry factors for felony teams in search of to execute malicious code.
These paperwork historically ask victims to allow macros to view seemingly innocuous content material, solely to set off malware to run stealthily within the background.
To counter this misuse, the maker of Home windows enacted a vital change beginning in July 2022 that blocks macros in Workplace information connected to e mail messages, successfully reducing off a vital assault vector.
Whereas this block solely applies to newer variations of Entry, Excel, PowerPoint, Visio, and Phrase, dangerous actors have been experimenting with alternate an infection paths to deploy malware.
One such technique occurs to be XLL information, which Microsoft describes as a “kind of Dynamic Hyperlink Library (DLL) file that solely Excel can open.”
“XLL information may be despatched by way of e mail, and even with the standard anti-malware scanning measures, customers can open them with out understanding that they might include malicious code,” Cisco Talos researcher Vanja Svajcer mentioned in an evaluation printed final week. cross.
The cybersecurity agency mentioned that menace actors are using a mixture of native plugins written in C++, in addition to these developed with a free software referred to as Excel-DNA, a phenomenon that has seen a major improve since mid-2021 and continued. till this yr.
That mentioned, the primary publicly documented malicious use of XLL is claimed to have occurred in 2017 when China-linked actor APT10 (aka Stone Panda) used the method to inject its backdoor payload into reminiscence by way of reminiscence flushing. course of.
Different identified adversary collectives embody TA410 (an actor with hyperlinks to APT10), DoNot Staff, FIN7, in addition to commodity malware households corresponding to Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer and Struggle zone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was beforehand highlighted by Palo Alto Networks Unit 42, noting that it “might point out a brand new development within the menace panorama.”
“As increasingly more customers undertake new variations of Microsoft Workplace, menace actors are prone to transfer away from malicious VBA-based paperwork to different codecs like XLL or depend on exploiting newly found vulnerabilities to drop code malicious within the Workplace utility course of house,” Svajcer mentioned.
Malicious Microsoft Writer macros push Ekipa RAT
Ekipa RAT, along with incorporating XLL Excel plugins, has additionally acquired an replace in November 2022 that enables it to make the most of Microsoft Writer macros to drop the Distant Entry Trojan and steal delicate data.
“As with different Microsoft workplace merchandise, corresponding to Excel or Phrase, Writer information might include macros that might be executed if you open or shut [of] file, making them fascinating preliminary assault vectors from a menace actor’s perspective,” mentioned Trustwave.
It is price noting that Microsoft’s restrictions on stopping macros from working on information downloaded from the Web don’t prolong to Writer information, making them a possible avenue for assaults.
“The Ekipa RAT is a good instance of how menace actors regularly change their strategies to get forward of defenders,” mentioned Trustwave researcher Wojciech Cieslak. “The creators of this malware are monitoring adjustments within the safety trade, corresponding to Microsoft’s blocking of Web macros, and altering their ways accordingly.”