Microsoft Excel threats could be a major security risk to your business

By Scott Marlette Last updated Dec 21, 2022

Microsoft may have blocked macros from running by default in its Office suite of programs, but there are workarounds, researchers are saying.

Several months after the ban was introduced, one specific workaround is seeing an uptick in adoption in the cybercriminal community, according to a new report from Cisco Talos.

The team claims cybercriminals are increasingly using XLL files (as opposed to XLS and XLSX) to deliver malicious code to target endpoints (opens in new tab).

Growing in popularity

XLL files are “a type of dynamic link library (DLL) file that can only be opened by Excel”, the researchers explain. In other words, with XLL files, Microsoft Excel spreadsheets can take advantage of additional functionality coming from third-party apps.

While the weaponization of XLL files is nothing new (first samples have been reported as early as 2017, it was said), these files were rarely used until Microsoft decided to block the running of macros in files downloaded from the internet. Now, since 2021, more malware families started deploying the alternative solution.

“For quite some time after [mid-2017], the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Cisco Talos noted in the report.

“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”

Among the groups using XLL files are the Chinese threat actor APT10 (AKA Potassium), which used it to distribute the Anel Backdoor. Then there is Cicada (AKA Stone Panda, TA410) a group that’s allegedly “loosely tied” to APT10, as well as DoNot, and Fin7.

Apparently, the threat actors have been using XLL files to deliver various malware families, such as Warzone RAT, or Ducktail. Businesses are warned to expect an increasing number of such threats going forward.

Via: The Register (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.