It looks like Microsoft Excel has a new Macro-like vulnerability

Patrick Devaney
Dec 22, 2022
Antivirus
|
0

Microsoft started blocking certain macros in Word, Excel, and PowerPoint back in July, in an attempt to protect against cyberattacks targeting users across the Microsoft 365 apps. Unfortunately, however, as has been proven again and again, cybercriminals and scammers will not simply rest upon their laurels when they lose access to a particular exploit or vulnerability and will instead endeavour to find new ways of targeting potential victims.

It looks like Microsoft Excel has a new Macro-like vulnerability

A new report from the Cisco Talos Threat Source security team seems to have uncovered a new way that malicious actors are seeking to exploit Excel users using XLL files.

XLL files are a type of dynamic link library file that can only be opened by Excel and are used to add extra functionality to the spreadsheet. They have been used in attacks for several years, but saw increased usage toward the end of 2021. Vanja Svajcer, who is an outreach researcher at Talos, said:

“For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it.”

However, she went on to say:

“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”

Groups such as APT10 (also known as Chessmaster, Potassium, and menuPass), TA410 (also known as Cicada or Stone Panda), DoNot, and Fin7XLLs have been using XLLs to inject malware, such as the Anel Backdoor malware, in order to steal information through keylogging, password theft, and screenshot capturing.

As is common for malware scams, XLL files can be sent via email and can often make it passed email anti-malware defences to end up being opened by users who are unaware of the potential for malicious code. Accordingly, XLL files have seen an increase in popularity, with malicious native and Excel-DNA samples submitted to VirusTotal spiking in 2020 and continuing to rise into 2021.

In order to keep yourself as safe as possible, Microsoft recommends you do not open XLL files from untrusted sources and that you use the Office Trust Center to manage add-in security settings.

Summary
It looks like Microsoft Excel has a new Macro-like vulnerability
Article Name
It looks like Microsoft Excel has a new Macro-like vulnerability
Description
A new report from the Cisco Talos Threat Source security team seems to have uncovered a new way that malicious actors are seeking to exploit Excel users using XLL files.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Jakim said on September 7, 2012 at 12:02 pm
    Reply

    Other way: don’t install that crappy AV!

  2. b003 said on September 11, 2012 at 4:37 am
    Reply

    I had GOM player slip this in on an update.

  3. Patrick said on November 14, 2012 at 11:26 am
    Reply

    Hi! You can also find detailed instructions here: http://www.avg.com/ww-en/secure-search-uninstall I hope it helps. Thanks.

  4. john said on January 2, 2013 at 8:07 pm
    Reply

    if anyone actually took the time to read through their earnings statement would understand the importance of the toolbar, it’s a cash cow, and can’t blame them for pushing it to uninformed users.
    it’s not a company to bet on when it’s driven mostly by short term revenue rather than innovation…

  5. SRW said on January 23, 2013 at 8:44 pm
    Reply

    The sitesafety plugin is spyware which cannot be removed from your browser EVER. I have uninstalled the toolbar, and made the error if saying “Yes, keep sitesafety for secure web searches” which means FOREVER. I have deleted all files pointing to AVG, because they will no longer uninstall through control panel add/remove. “Could not uninstall at this time try again later” I don’t want to DISABLE it I want it GONE. But it keeps regenerating. AVG Secure Search directory keeps coming back to life in my Programs Folder, even though I removed everything called AVG in document and settings profiles for administrator, all users, myself, default users, it keeps coming back. It keeps UPDATING with Firefox’s update plugin option, so I am unable to auto update my other VALID plugins due to that one being auto updated and reinstalling everything too. NEVER USE AVG for anything, THEY refuse to help remove it too. They say it is something I must have done. YES, I made the mistake of clicking “Yes, keep avg secure search while removing the toolbar” I have read elsewhere that this IS THE KILLER DECISION. It makes removing secure search impossible.

  6. Neal said on January 24, 2013 at 8:35 pm
    Reply

    I cannot seem to block AVG security search toolbar from reinstalling. Whether I use windows uninstall or Revo, I get “Could not uninstall at this time try again later. Revo does show all the files it thinks are related to AVG secure search toolbar, which are scattered throughout my drive, and I select all and delete. The next day I get a new task-bar pop up asking to activate, I decline, but look in the programs and there is AVG secure search listed again!!! I tried in Chrome to block any cookies from AVG, [*.]avg.com, Blocked, under privacy setting. Any thoughts. I also have Symantec endpoint protection but it has no clue this is going on. Any ideas?

  7. Robert Ballesteros said on March 7, 2013 at 11:16 pm
    Reply

    “So what’s the purpose of the toolbar? It ships with a link scanner that displays security information about websites. This is similar to what Web of Trust does. The toolbar itself offers search, weather information, a link to a speedtest and other features that are not really related to security.” Relevant security information about known/unknown websites; a SMALL matter you omitted. Similar to Web of Trust but not the same; another omission In math terms no equal. No, these features are not related to security but are securely offered. Correct me on the last point if I am wrong. I will ask AVG as I conclude with our conversation. “Martin Brinkmann… He is passionate about all things tech and knows the Internet and computers like the back of his hand.” Yea, sure. And at my age I am just to believe it “because I read it on the Internet.” What? Did you write this yourself, Martin? Not ALL of us fall for the same old lame lines. Superior products come from Germany as do Sweden. AVG will tell anyone, for free, how to uninstall their free product line. How would I know? I asked them! Oh, but pardon me. My day and age has passed; you “blogger’s” know everything know adays. Asking a company is tantamount to stupid these days for you young people. I would suppose you consider all the times AVG Safe Search and Surf Shield saved a computer one time as to all the other useless apps out there that freeze a computer to be the main danger to the computer. And we are talking computers, Mr Brinkmann, as a cell phone is a computer with the ability to make a call. Verses a true mobile phone back in my day. Well, you have better things to blog about than an old man like me. In the end, sir, the problem IS the end user and not a company who builds free products for those who know not how to employ them. Try writing about the ineptitude of the end-user. After all if everyone knew their computers OS and how to…… Well, safe to say, Mr. Brinkmann, your work shall never end.

  8. Bumpyfunk said on May 7, 2013 at 4:22 pm
    Reply

    All I have left on my pc is AVG secure search. When I try the normal Uninstall page of Control Panel, it just hangs and I end up having to restart. The longest we have left it is 4 hours. I have also tried Revo, as another forum swears by it. Same problem.

    Even the AVG site gives you both the Unistall option (that doesn’t work) and the Add Ons option (I use Firefox). Neither work at all.

    Whatever I do, it just hangs. I cant get rid of it. Please help.

  9. GORDON said on December 6, 2013 at 8:58 am
    Reply

    AVG CRAP can be easily removed with FILE UNLOCKER, COMPLETELY REMOVED! After
    removing AVG CRAP, restore IE by downloading Microsofts IE repair software. PRESTO – NO
    MORE AVG BULLSHIT or lame Indian tech support asking for payment to remove their own
    garbage. AVG installs if you download winzip7 from softpedia, and system information wizard from other download sites.

  10. Ray said on December 29, 2013 at 3:13 am
    Reply

    I removed all instances of vprot.exe from my registry and startup (run). I then removed everything under “C:\Program Files (x86)\AVG Secure Search”. Then I edited the properties of the “AVG Secure Search” directory, removing inheritance and leaving my account as having the only access and finally, I denied my accounts right to traverse folder/execute file. After a several reboots for good measure, I am having no problem.

    Since the directory exists, AVG can’t create it and the system has no rights to the one that exists, so whatever process keeps reinstalling it, is shutdown cold.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.