Microsoft may have blocked macros from running by default in its Office suite of programs, but there are workarounds, researchers are saying.
Several months after the ban was introduced, one specific workaround is seeing an uptick in adoption in the cybercriminal community, according to a new report from Cisco Talos.
The team claims cybercriminals are increasingly using XLL files (as opposed to XLS and XLSX) to deliver malicious code to target endpoints (opens in new tab).
Growing in popularity
XLL files are “a type of dynamic link library (DLL) file that can only be opened by Excel”, the researchers explain. In other words, with XLL files, Microsoft Excel spreadsheets can take advantage of additional functionality coming from third-party apps.
While the weaponization of XLL files is nothing new (first samples have been reported as early as 2017, it was said), these files were rarely used until Microsoft decided to block the running of macros in files downloaded from the internet. Now, since 2021, more malware families started deploying the alternative solution.
“For quite some time after [mid-2017], the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Cisco Talos noted in the report.
“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”
Among the groups using XLL files are the Chinese threat actor APT10 (AKA Potassium), which used it to distribute the Anel Backdoor. Then there is Cicada (AKA Stone Panda, TA410) a group that’s allegedly “loosely tied” to APT10, as well as DoNot, and Fin7.
Apparently, the threat actors have been using XLL files to deliver various malware families, such as Warzone RAT, or Ducktail. Businesses are warned to expect an increasing number of such threats going forward.
Via: The Register (opens in new tab)
Source: www.techradar.com