Microsoft’s decision to block Visual Basic for Applications (VBA) macros by default for Office files downloaded from the internet has led many threat actors to improvise their attack chains in recent months.
Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.
Weaponized Office documents delivered via spear-phishing emails and other social engineering attacks have remained one of the widely used entry points for criminal groups looking to execute malicious code.
These documents traditionally prompt the victims to enable macros to view seemingly innocuous content, only to activate the execution of malware stealthily in the background.
To counter this misuse, the Windows maker enacted a crucial change starting in July 2022 that blocks macros in Office files attached to email messages, effectively severing a crucial attack vector.
While this blockade only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors have been experimenting with alternative infection routes to deploy malware.
One such method turns out to be XLL files, which is described by Microsoft as a “type of dynamic link library (DLL) file that can only be opened by Excel.”
“XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code,” Cisco Talos researcher Vanja Svajcer said in an analysis published last week.
The cybersecurity firm said threat actors are employing a mix of native add-ins written in C++ as well as those developed using a free tool called Excel-DNA, a phenomenon that has witnessed a significant spike since mid-2021 and continued to this year.
That said, the first publicly documented malicious use of XLL is said to have occurred in 2017 when the China-linked APT10 (aka Stone Panda) actor utilized the technique to inject its backdoor payload into memory via process hollowing.
Since then, a number of other adversarial collectives have followed its footsteps, including TA410 (an actor with links to APT10), DoNot Team, FIN7, as well as commodity malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer, and Warzone RAT.
The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously highlighted by Palo Alto Networks Unit 42, noting that it “may indicate a new trend in the threat landscape.”
“As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications,” Svajcer said.
Malicious Microsoft Publisher macros push Ekipa RAT
Ekipa RAT, besides incorporating XLL Excel add-ins, has also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to drop the remote access trojan and steal sensitive information.
“Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing [of] the file, which makes them interesting initial attack vectors from the threat actor’s point of view,” Trustwave noted.
It’s worth noting that Microsoft’s restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, enabling adversaries to exploit this avenue for phishing campaigns.
“The Ekipa RAT is a great example of how threat actors are continuously changing their techniques to stay ahead of the defenders,” Trustwave researcher Wojciech Cieslak said. “The creators of this malware are tracking changes in the security industry, like blocking macros from the internet by Microsoft, and shifting their tactics accordingly.”
