APT Hackers Flip to Malicious Excel Add-ins as Preliminary Intrusion Vector
Microsoft’s determination to dam Visible Primary for Purposes (VBA) macros by default for Workplace information downloaded from the web has led many menace actors to improvise their assault chains in latest months.
Now in response to Cisco Talos, superior persistent menace (APT) actors and commodity malware households alike are more and more utilizing Excel add-in (.XLL) information as an preliminary intrusion vector.
Weaponized Workplace paperwork delivered through spear-phishing emails and different social engineering assaults have remained one of many broadly used entry factors for felony teams trying to execute malicious code.
These paperwork historically immediate the victims to allow macros to view seemingly innocuous content material, solely to activate the execution of malware stealthily within the background.
To counter this misuse, the Home windows maker enacted a vital change beginning in July 2022 that blocks macros in Workplace information hooked up to electronic mail messages, successfully severing a vital assault vector.
Whereas this blockade solely applies to new variations of Entry, Excel, PowerPoint, Visio, and Phrase, dangerous actors have been experimenting with different an infection routes to deploy malware.
One such methodology seems to be XLL files, which is described by Microsoft as a “kind of dynamic hyperlink library (DLL) file that may solely be opened by Excel.”
“XLL information might be despatched by electronic mail, and even with the same old anti-malware scanning measures, customers could possibly open them not figuring out that they might include malicious code,” Cisco Talos researcher Vanja Svajcer mentioned in an evaluation printed final week.
The cybersecurity agency mentioned menace actors are using a mixture of native add-ins written in C++ in addition to these developed utilizing a free software known as Excel-DNA, a phenomenon that has witnessed a big spike since mid-2021 and continued to this yr.
That mentioned, the primary publicly documented malicious use of XLL is claimed to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the method to inject its backdoor payload into reminiscence through process hollowing.
Different identified adversarial collectives embrace TA410 (an actor with hyperlinks to APT10), DoNot Workforce, FIN7, in addition to commodity malware households comparable to Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was beforehand highlighted by Palo Alto Networks Unit 42, noting that it “could point out a brand new pattern within the menace panorama.”
“As increasingly customers undertake new variations of Microsoft Workplace, it’s seemingly that menace actors will flip away from VBA-based malicious paperwork to different codecs comparable to XLLs or depend on exploiting newly found vulnerabilities to launch malicious code within the course of house of Workplace purposes,” Svajcer mentioned.
Malicious Microsoft Writer macros push Ekipa RAT
Ekipa RAT, apart from incorporating XLL Excel add-ins, has additionally acquired an replace in November 2022 that enables it to reap the benefits of Microsoft Writer macros to drop the distant entry trojan and steal delicate data.
“Simply as with different Microsoft workplace merchandise, like Excel or Phrase, Writer information can include macros that can execute upon the opening or closing [of] the file, which makes them attention-grabbing preliminary assault vectors from the menace actor’s standpoint,” Trustwave noted.
It is price noting that Microsoft’s restrictions to impede macros from executing in information downloaded from the web doesn’t prolong to Writer information, making them a possible avenue for assaults.
“The Ekipa RAT is a good instance of how menace actors are constantly altering their strategies to remain forward of the defenders,” Trustwave researcher Wojciech Cieslak mentioned. “The creators of this malware are monitoring modifications within the safety business, like blocking macros from the web by Microsoft, and shifting their ways accordingly.”
