Cisco Talos report: Danger stars utilize known Excel vulnerability


A screen of code with an alert symbolizing a malware attack. Image: Sashkin/Adobe Stock Microsoft Office files, especially Excel and Word files, have been targeted by some cybercriminals for a very long time. Through various strategies, assaulters have utilized embedded Visual Basic for Applications macros to infect computers with different kinds of malware for cybercrime and cyberespionage.

In many cases, users still required to click their arrangement when performing code inside those applications, but some social engineering tricks have lured unsuspecting victims to click and allow the execution of the harmful macros themselves. Direct exploitation of vulnerabilities without any user interaction is also possible to introduce malware.

SEE: Mobile device security policy (TechRepublic Premium)

Dive to:

. XLL malicious exploitation in the wild

As exposed in new research study from Cisco Talos, danger actors might utilize event dealing with functions in Excel files in order to instantly launch.XLL files. The most common method to achieve this is to perform the harmful code when the Excel Add-In supervisor calls the xlAutoOpen or xlAutoClose functions.

Cisco Talos researchers have leveraged particular inquiries in VirusTotal to discover malicious.XLL files and provide YARA rules to hunt for such files. They separated native.XLL samples built with the normal Microsoft.XLL SDK and samples created using the ExcelDNA structure, as it is totally free and tends to be the one most utilized by hazard stars (Figure A).

Figure A

Number of submissions of.XLL files in VirusTotal. Image: Cisco Talos. Number of submissions of.XLL files in VirusTotal

. Image: Cisco Talos. Number of submissions of.XLL files in VirusTotal. The charts above reveal that risk stars have actually been exploiting.XLL file vulnerabilities long before Microsoft started obstructing files consisting of VBA macros. The Cisco Talos scientists established that no potentially destructive samples were submitted till July 2017. The first.XLL payload discovered on the VirusTotal platform introduced calc.exe, which is a typical testing technique for penetration testers and cybercriminals. The second sample, submitted in the very same month, introduced a Meterpreter reverse shell, which may be used for penetration testing or harmful intent.

After that activity,. XLL files appeared sporadically, however it did not increase until the end of 2021 when infamous malware families such as Dridex and FormBook began using it.

Which risk actors exploit.XLL files?

Numerous risk actors are now using.XLL files to contaminate computer systems.

APT10, likewise called Red Apollo, menuPass, Stone Panda or Potassium, is a cyberespionage hazard star that has actually been running since 2006 and is associated with the Chinese Ministry of State Security, according to the Department of Justice.

A file leveraging.XLL to inject a malware unique to APT10 dubbed Anel was discovered in December 2017 by the researchers.

TA410 is another risk star who targets U.S. utilities and diplomatic companies and is loosely linked to APT10. They employ a toolkit that also consists of an.XLL stage found in 2020.

Must-read security protection

The DoNot team targeting Kashmiri not-for-profit organizations and Pakistani federal government authorities likewise seemed to use this method: An.XLL file including two exports, the first one called pdteong and the 2nd xlAutoOpen, make it a fully functional.XLL payload. The pdteong export name has been utilized solely by the DoNot team.

FIN7 is a cybercrime risk star running from Russia. In 2022, the hazard actor started using.XLL files sent out as attachment files in malicious e-mail projects. When those files are carried out, they serve as downloaders for the next infection stage.

The major spike in the.XLL detections in VirusTotal, nevertheless, comes mainly from Dridex malware campaigns. These.XLL files are utilized as downloaders for the next infection phase, which is chosen from a large list of possible payloads available by means of the Discord software application.

The second most typical payload is FormBook, a details thief readily available as a service for a cheap rate online. It uses e-mail campaigns to spread the.XLL downloader, which brings the next infection stage– the FormBook malware itself.

A recent AgentTesla and Lokibot campaign targeting Hungary exploited.XLL files by means of email. The e-mail pretended to come from Hungarian cops departments (Figure B).

Figure B

Fraudulent email content in an AgentTesla campaign. Image: Cisco Talos. Deceitful email content in an AgentTesla project. The text has actually been equated by Cisco Talos:

“We are the VII Budapest District Cops Department.

We have actually found out about the excellence of your business. Our center needs your quote for our 2022 budget (attached). The budget is co-financed by the Ministry of the Interior of our Hungarian federal government. Please send your deal by Aug. 25, 2022. Please discover the accessory and let us know if you require more details.”

In addition, the Ducktail malware, an information stealer malware run by a Vietnam-operating risk actor, makes use of.XLL. The hazard star utilized a file named “Information of Project Marketing Strategy and Facebook Google Ads Outcomes Report.xll” to contaminate its targets with the Ducktail malware.

Default Microsoft Office behavior changes for the great

To help fight infections through the use of VBA macros, Microsoft decided to change the default habits of its Office products to block macros in files downloaded from the internet.

Office Add-Ins are pieces of executable code that can be contributed to Office applications to improve performances or improve the application’s appearance. Office Add-Ins might contain VBA code or modules embedding assembled functionalities in.NET bytecode. This might be in the kind of COM servers or a Dynamic Link Library relabelled with a specific file extension.

Add-Ins for the Microsoft Word application requirement to be in a place defined by a computer registry value, depending on the Workplace variation. A file put in that folder with a file extension.WLL will be loaded into the Word process area.

For Microsoft Excel, any file with the.XLL extension that is clicked by the user will automatically attempt to run Excel as the opener for the.XLL file. In any case, the Excel software application will activate a display screen message about potential malware or security problems, but this is inefficient with general users, who tend to overlook such warnings.

. XLL add-ins are typically established in the C/C++ shows language utilizing the Microsoft Excel.XLL Software Development Package, however some frameworks such as Add-In Express and Excel-DNA enable the usage of.NET languages like C# or VB.NET.

How to secure versus the.XLL security threat

The use of.XLL files is not widespread in corporate environments; organizations that do not require it needs to obstruct any effort to execute.XLL files in their environment. If your business does enable the usage of.XLL files, mindful tracking must be run at endpoints and servers in order to find any suspicious activity and examine it.

Email gateways need to not accept.XLL files by default, and raise awareness for business users. If they see a caution message from Excel about running Add-Ins and do not know why it occurs, they must not enable the execution and call their IT/security department.

This security awareness and training policy and IT email security alert design templates from TechRepublic Premium are terrific resources to assist prevent a cybersecurity catastrophe from striking.

Disclosure: I work for Pattern Micro, however the views revealed in this article are mine.


Leave a Reply

Your email address will not be published. Required fields are marked *