In July 2022, Microsoft made a crucial development to its Office software that blocks macros in Office files attached to email messages. This change was implemented in an effort to counter the misuse of weaponized Office documents, which have traditionally been a widely used entry point for criminal groups seeking to execute malicious code.
These documents typically prompt victims to enable macros in order to view seemingly harmless content, only to activate the execution of malware in the background stealthily. This new altering applies to new versions of Powerpoint, Access, Excel, Visio, and Word, which have recently improved many threat actors’ attack patterns. The blocking of VBA macros by default for Office files downloaded from the internet has been a significant change for both legitimate users and threat actors.
For legitimate users, it has meant that they must take extra steps to enable macros to use certain Office software features, which can be inconvenient and time-consuming. For threat actors, it has meant that they must find new ways to deliver their malicious payloads, as VBA macros have traditionally been a reliable and widely used method.
Increasing Use of Excel Add-in (.XLL) Files
Excel add-in (.XLL) files are being used more frequently as an initial infiltration vector by sophisticated threat (APT) players and malware families as a result of the blockade of VBA macros, according to Cisco Talos. According to Microsoft, XLL files are a specific kind of dynamic link library (DLL) file that Excel can only access. These files can be sent via email, and even with specific anti-malware scanning measures, users may not be aware that they may contain malicious code.
According to Cisco Talos, Both native add-ins created using Excel-DNA, a free program, and C++-written add-ins are being used by threat actors. This trend has seen a significant increase since mid-2021 and has continued into this year.
The use of XLL files as an initial intrusion vector presents a number of advantages for threat actors. For one, XLL files are typically not detected by traditional security measures, as they are seen as a legitimate type of file that is often used for legitimate purposes. Besides, XLL files can be easily disguised as other types of files, making it difficult for users to identify them as potentially malicious.
Malicious Use of XLL Files
In 2017, the China-linked APT10 (also known as Stone Panda) actor was said to have used XLL files for the first time in a hostile manner when it used process hollowing to inject its backdoor payload into memory.
TA410 (an actor with ties to APT10), DoNot Team, FIN7, as well as common malware families like Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, etc., are other known hostile collectives that have been seen using this technique. Palo Alto Networks Unit 42 previously called attention to the misuse of the XLL file format to disseminate Agent Tesla and Dridex, stating that it “may suggest a new trend in the threat landscape.”
The malicious use of XLL files has the potential to be highly effective, as it allows threat actors to bypass traditional security measures and deliver their payloads directly to the targeted user’s computer. This can be particularly dangerous for organizations, as it allows threat actors to gain a foothold within the network and move to other systems laterally.
Microsoft Publisher Macros
It’s important to note that Publisher files are not covered by Microsoft’s prohibitions on macros running in files downloaded from the internet, making them a possible target for assaults. The Ekipa RAT released an update in November 2022 that enables it to use macros from Microsoft Publishers to remove the remote access trojan and take their private data.
Publisher files can contain macros that will run upon opening or quitting the file, much like with other Microsoft Office programs like Excel or Word, according to Trustwave researchers. This makes them intriguing first attack vectors from the threat actor’s perspective. The use of Microsoft Publisher macros as an initial intrusion vector presents a number of advantages for threat actors. First, Microsoft Publisher is a widely used software, meaning that there is a large potential pool of victims.
Additionally, the lack of restrictions on macros executing in Publisher files means that threat actors can easily deliver their payloads via this method. Finally, the use of Publisher macros allows threat actors to easily disguise their payloads as seemingly innocent files, making it difficult for users to identify them as potentially malicious.
It is important to note that while the use of XLL files and Publisher macros as initial intrusion vectors has been observed by cybersecurity firms, it is not necessarily a new trend. Threat actors have long been known to experiment with new techniques and technologies in order to evade security measures and successfully deliver their payloads.
Comprehensive Security Measures to Protect Against Alternate Initial Intrusion Vectors
In addition to the use of XLL files and Publisher macros, there are many other potential initial intrusion vectors that threat actors may explore. This could include the use of different types of Office files, such as Word or PowerPoint, as well as the exploitation of vulnerabilities in Office applications or operating systems.
While the use of XLL files and Publisher macros as initial intrusion vectors may present a number of advantages for threat actors, there are also potential risks associated with these techniques. For example, the use of XLL files may be more easily detected by security software that is specifically designed to identify and block this type of file, while the use of Publisher macros may be more easily identified by users who are familiar with the software and its capabilities.
To effectively defend against the use of XLL files and Publisher macros as initial intrusion vectors, it is important for organizations and individuals to implement a comprehensive security strategy that includes the use of up-to-date security software, regular patching and updates, user education and training, and robust policies and procedures for handling potentially malicious files.
The followings are recommendations to protect against the .XLL attack:
- Set up your email gateway to block any incoming emails with attachments in XLL. Since .XLL files are dynamic link libraries (DLL) , several email gateways are already blocking it.
- Configure Excel to accept only add-ins from trusted publishers.
- Disable all proprietary add-ins on the excel
Conclusion
The increasing use of Excel add-in (.XLL) files and the potential use of Microsoft Publisher macros as initial intrusion vectors highlight the adaptability of threat actors and their willingness to experiment with new techniques in order to evade security measures.
Threat actors are likely to keep using Microsoft Office as more customers upgrade to new versions of the software and continue to explore new methods for delivering their payloads, such as using alternative file formats or exploiting vulnerabilities in Office applications. It is important for organizations and individuals to remain vigilant and implement robust security measures to protect against these types of attacks.
