Cybercrooks amp up attacks via macro-enabled XLL files

Cybercriminals are erstwhile again abusing macro-enabled Excel add-in (XLL) files successful malware attacks astatine a vastly accrued rate, according to caller research.

HP Wolf Security revealed that .xlam files are now nan seventh astir commonly abused record hold successful Q3 2023, rising 35 places from 42nd connected nan database successful Q2.

XLL attacks aren't caller and researchers observed a lull successful exploits astatine nan commencement of 2023, but a surge successful attraction has been fixed to them successful nan past fewer months.

XLL files connection attackers greater capabilities compared to alternatives for illustration Visual Basic for Applications (VBA) macros, which are now blocked by default courtesy of Microsoft's 2022 intervention, a move that was seen astatine nan clip arsenic agelong overdue.

They widen Excel's functionality, facilitate much effective attacks owed to features for illustration multithreading support, and person been adopted successful nan past by developers of malware families specified arsenic Dridex, Agent Tesla, Raccoon Stealer, and Formbook.

Macro-enabled XLL files tin beryllium implemented successful a number of ways, pinch galore attackers opting to usage them arsenic a malware dropper straight wrong nan document, alternatively than a intends to download payloads from nan web.

The latest uncovering is different illustration of really attackers proceed to germinate their strategies to leverage seemingly benign Microsoft Office documents to administer malware.

Since Microsoft announced it would block VBA macros by default, past briefly backtracked earlier blocking them again, attackers person been experimenting pinch different record types to motorboat their malware attacks.

The ubiquity of Microsoft Office documents successful nan business world intends they are perceived by galore arsenic inherently safe, making them an perfect mean done which criminals tin motorboat attacks.

After nan artifact connected VBA macros, .LNK files became nan de facto replacement earlier OneNote file experimentation took hold, on pinch ISO and RAR attachments.

Microsoft besides made nan determination to block XLL attachments from untrusted locations by default astatine nan commencement of this year, making nan surge successful usage noteworthy.

• Malware crooks find an successful pinch clone browser updates, successful lawsuit existent ones weren't bad enough
• Microsoft to artifact downloaded VBA macros successful Office – you whitethorn beryllium capable to tally 'em anyway
• Microsoft rolls backmost default macro blocks successful Office without telling anyone
• Microsoft closes disconnected 2 avenues of attack: Office macros, RDP brute-forcing

By default, XLL files that originate from locations not explicitly designated arsenic "trusted" are blocked for users. Microsoft has said that astir group will ne'er request to usage add-ins arsenic they aren't required for emblematic Excel usage cases.

Abuse successful progressive attacks

Attackers demonstrated really they were capable to bypass nan XLL artifact earlier this twelvemonth during a Parallax distant entree trojan (RAT) run from July.

Masquerading arsenic scanned invoices, nan XLL attachments sent to users are thought to person travel from compromised email accounts, meaning nan location of nan XLL would apt person been considered "trusted," truthful bypassing galore of nan default information measures against nan record type.

Taking advantage of add-ins' multithreading capability, nan malware utilized nan aforementioned dropper method of deploying nan payload. When first opened, nan xlAutoOpen function, which contains nan malicious code, is tally to load various strategy libraries and dynamically resoluteness their functions.

Then, connected 1 thread, nan malware writes an executable "lum.exe" nether a caller files successful C:\ProgramData. A caller registry cardinal called 'ID' is created nether HKEY_CURRENT_ USER\Software\Intel pinch nan executable's files sanction group arsenic its value. Lum.exe is past launched.

Taking spot connected different thread are efforts to summation nan perceived legitimacy of nan record – a dummy invoice file, which is conscionable a morganatic invoice template taken from nan web, is saved to nan victim's disk.

The Parallax RAT uses aggregate techniques to evade detection, specified arsenic process hollowing, and from location becomes operational.

The researchers said it's often disposable to bargain for astir $65 per period and offers attackers capabilities specified arsenic distant power entree to unfortunate machines, information exfiltration, and credential theft.

A akin run was besides observed targeting LATAM hotels pinch add-in files but for PowerPoint alternatively than Excel. Again, it progressive nan installation of a RAT – this clip it was XWorm which has capabilities beyond distant desktop power including keylogging and clipboard hijacking.

Separately, XWorm attacks look to beryllium spreading utilizing different techniques. Trellix spotted a run from precocious July targeting organizations crossed various industries but this clip successful nan US, Republic of Korea, and Germany mainly.

The transportation system present was different too, pinch nan attackers alternatively opting for malicious URLs embedded successful .pdf, .docx, and .rtf formats. ®