Microsoft’s selection to block Visible Simple for Apps (VBA) macros by default for Business documents downloaded from the internet has led lots of risk actors to improvise their attack chains in new months.
Now according to Cisco Talos, innovative persistent menace (APT) actors and commodity malware families alike are ever more making use of Excel add-in (.XLL) data files as an preliminary intrusion vector.
Weaponized Office files shipped by means of spear-phishing email messages and other social engineering attacks have remained one of the commonly made use of entry factors for felony groups wanting to execute malicious code.
These paperwork traditionally prompt the victims to enable macros to check out seemingly innocuous information, only to activate the execution of malware stealthily in the qualifications.
To counter this misuse, the Windows maker enacted a critical adjust beginning in July 2022 that blocks macros in Place of work files hooked up to email messages, effectively severing a crucial attack vector.
When this blockade only applies to new variations of Obtain, Excel, PowerPoint, Visio, and Term, undesirable actors have been experimenting with alternate an infection routes to deploy malware.
One such strategy turns out to be XLL information, which is explained by Microsoft as a “style of dynamic url library (DLL) file that can only be opened by Excel.”
“XLL information can be despatched by email, and even with the normal anti-malware scanning measures, end users might be able to open them not recognizing that they may perhaps comprise destructive code,” Cisco Talos researcher Vanja Svajcer reported in an investigation revealed previous week.
The cybersecurity company stated menace actors are employing a combine of native add-ins composed in C++ as perfectly as those people formulated employing a totally free device termed Excel-DNA, a phenomenon that has witnessed a substantial spike considering the fact that mid-2021 and ongoing to this calendar year.
That mentioned, the first publicly documented destructive use of XLL is explained to have transpired in 2017 when the China-joined APT10 (aka Stone Panda) actor used the strategy to inject its backdoor payload into memory by means of system hollowing.
Other identified adversarial collectives include TA410 (an actor with hyperlinks to APT10), DoNot Workforce, FIN7, as very well as commodity malware family members these as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was beforehand highlighted by Palo Alto Networks Device 42, noting that it “might show a new development in the threat landscape.”
“As a lot more and more users undertake new variations of Microsoft Office environment, it is likely that risk actors will change absent from VBA-centered malicious documents to other formats these kinds of as XLLs or count on exploiting recently found vulnerabilities to launch destructive code in the system area of Workplace purposes,” Svajcer reported.
Malicious Microsoft Publisher macros drive Ekipa RAT
Ekipa RAT, in addition to incorporating XLL Excel increase-ins, has also received an update in November 2022 that lets it to acquire benefit of Microsoft Publisher macros to fall the distant access trojan and steal delicate details.
“Just as with other Microsoft business products and solutions, like Excel or Term, Publisher information can comprise macros that will execute upon the opening or closing [of] the file, which can make them exciting original attack vectors from the threat actor’s stage of look at,” Trustwave mentioned.
It can be truly worth noting that Microsoft’s limitations to impede macros from executing in information downloaded from the internet does not increase to Publisher information, making them a opportunity avenue for attacks.
“The Ekipa RAT is a great example of how danger actors are consistently altering their strategies to remain forward of the defenders,” Trustwave researcher Wojciech Cieslak explained. “The creators of this malware are tracking improvements in the security field, like blocking macros from the internet by Microsoft, and shifting their techniques appropriately.”
Located this posting fascinating? Abide by us on Twitter and LinkedIn to examine a lot more distinctive material we submit.
Some areas of this write-up are sourced from: