It looks like Microsoft Excel has a new Macro-like vulnerability
Microsoft started blocking certain macros in Word, Excel, and PowerPoint back in July, in an attempt to protect against cyberattacks targeting users across the Microsoft 365 apps. Unfortunately, however, as has been proven again and again, cybercriminals and scammers will not simply rest upon their laurels when they lose access to a particular exploit or vulnerability and will instead endeavour to find new ways of targeting potential victims.
A new report from the Cisco Talos Threat Source security team seems to have uncovered a new way that malicious actors are seeking to exploit Excel users using XLL files.
XLL files are a type of dynamic link library file that can only be opened by Excel and are used to add extra functionality to the spreadsheet. They have been used in attacks for several years, but saw increased usage toward the end of 2021. Vanja Svajcer, who is an outreach researcher at Talos, said:
“For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it.”
However, she went on to say:
“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”
Groups such as APT10 (also known as Chessmaster, Potassium, and menuPass), TA410 (also known as Cicada or Stone Panda), DoNot, and Fin7XLLs have been using XLLs to inject malware, such as the Anel Backdoor malware, in order to steal information through keylogging, password theft, and screenshot capturing.
As is common for malware scams, XLL files can be sent via email and can often make it passed email anti-malware defences to end up being opened by users who are unaware of the potential for malicious code. Accordingly, XLL files have seen an increase in popularity, with malicious native and Excel-DNA samples submitted to VirusTotal spiking in 2020 and continuing to rise into 2021.
In order to keep yourself as safe as possible, Microsoft recommends you do not open XLL files from untrusted sources and that you use the Office Trust Center to manage add-in security settings.
