Microsoft’s
decision
to
block
Visual
Basic
for
Applications
(VBA)
macros
by
default
for
Office
files
downloaded
from
the
internet
has
led
many
threat
actors
to
improvise
their
attack
chains
in
recent
months.
Now
according
to
Cisco
Talos,
advanced
persistent
threat
(APT)
actors
and
commodity
malware
families
alike
are
increasingly
using
Excel
add-in
(.XLL)
files
as
an
initial
intrusion
vector.
Weaponized
Office
documents
delivered
via
spear-phishing
emails
and
other
social
engineering
attacks
have
remained
one
of
the
widely
used
entry
points
for
criminal
groups
looking
to
execute
malicious
code.
These
documents
traditionally
prompt
the
victims
to
enable
macros
to
view
seemingly
innocuous
content,
only
to
activate
the
execution
of
malware
stealthily
in
the
background.
To
counter
this
misuse,
the
Windows
maker
enacted
a
crucial
change
starting
in
July
2022
that
blocks
macros
in
Office
files
attached
to
email
messages,
effectively
severing
a
crucial
attack
vector.
While
this
blockade
only
applies
to
new
versions
of
Access,
Excel,
PowerPoint,
Visio,
and
Word,
bad
actors
have
been
experimenting
with
alternative
infection
routes
to
deploy
malware.
One
such
method
turns
out
to
be
XLL
files,
which
is
described
by
Microsoft
as
a “type
of
dynamic
link
library
(DLL)
file
that
can
only
be
opened
by
Excel.”
“XLL
files
can
be
sent
by
email,
and
even
with
the
usual
anti-malware
scanning
measures,
users
may
be
able
to
open
them
not
knowing
that
they
may
contain
malicious
code,”
Cisco
Talos
researcher
Vanja
Svajcer
said
in
an
analysis
published
last
week.
The
cybersecurity
firm
said
threat
actors
are
employing
a
mix
of
native
add-ins
written
in
C++
as
well
as
those
developed
using
a
free
tool
called
Excel-DNA,
a
phenomenon
that
has
witnessed
a
significant
spike
since
mid-2021
and
continued
to
this
year.
That
said,
the
first
publicly
documented
malicious
use
of
XLL
is
said
to
have
occurred
in
2017
when
the
China-linked
APT10
(aka
Stone
Panda)
actor
utilized
the
technique
to
inject
its
backdoor
payload
into
memory
via
process
hollowing.
Other
known
adversarial
collectives
include
TA410
(an
actor
with
links
to
APT10),
DoNot
Team,
FIN7,
as
well
as
commodity
malware
families
such
as
Agent
Tesla,
Arkei,
Buer,
Dridex,
Ducktail,
Ekipa
RAT,
FormBook,
IcedID,
Vidar
Stealer,
and
Warzone
RAT.
The
abuse
of
the
XLL
file
format
to
distribute
Agent
Tesla
and
Dridex
was
previously
highlighted
by
Palo
Alto
Networks
Unit
42,
noting
that
it “may
indicate
a
new
trend
in
the
threat
landscape.”
“As
more
and
more
users
adopt
new
versions
of
Microsoft
Office,
it
is
likely
that
threat
actors
will
turn
away
from
VBA-based
malicious
documents
to
other
formats
such
as
XLLs
or
rely
on
exploiting
newly
discovered
vulnerabilities
to
launch
malicious
code
in
the
process
space
of
Office
applications,”
Svajcer
said.
Malicious
Microsoft
Publisher
macros
push
Ekipa
RAT
Ekipa
RAT,
besides
incorporating
XLL
Excel
add-ins,
has
also
received
an
update
in
November
2022
that
allows
it
to
take
advantage
of
Microsoft
Publisher
macros
to
drop
the
remote
access
trojan
and
steal
sensitive
information.
“Just
as
with
other
Microsoft
office
products,
like
Excel
or
Word,
Publisher
files
can
contain
macros
that
will
execute
upon
the
opening
or
closing
[of]
the
file,
which
makes
them
interesting
initial
attack
vectors
from
the
threat
actor’s
point
of
view,”
Trustwave
noted.
It’s
worth
noting
that
Microsoft’s
restrictions
to
impede
macros
from
executing
in
files
downloaded
from
the
internet
does
not
extend
to
Publisher
files,
making
them
a
potential
avenue
for
attacks.
“The
Ekipa
RAT
is
a
great
example
of
how
threat
actors
are
continuously
changing
their
techniques
to
stay
ahead
of
the
defenders,”
Trustwave
researcher
Wojciech
Cieslak
said. “The
creators
of
this
malware
are
tracking
changes
in
the
security
industry,
like
blocking
macros
from
the
internet
by
Microsoft,
and
shifting
their
tactics
accordingly.”
