Cisco’s Talos Security Predict New Wave of Excel Hell

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,447
It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft's Windows OS and Office suite.

While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent. Blocking macros therefore won't deter cybercriminals from targeting Microsoft's signature productivity applications. They'll just have to find other options. A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel. Microsoft describes XLL files as "a type of dynamic link library (DLL) file that can only be opened by Excel". They exist to let third-party apps add extra functionality to the spreadsheet. Miscreants have used XLLs in attacks for several years, with the first malicious samples submitted to VirusTotal in mid-2017.

"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report. "Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow."
Users can introduce code to applications that are called Office add-ins and are meant to improve an application's performance or appearance. They can be delivered as Office documents containing VBA code or modules with compiled functionality, which can be collected .NET VSTO plugins, COM servers, or as dynamic loading libraries (DLL) with a specific filename extension. They add ins for Excel are different than with an application like Word. With Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file. Before it's loaded, Excel displays a warning about possibly dangerous code similar to one shown after an Office document that includes VBA macro code is opened. In both examples, users often tend to disregard the warning.

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
7,892
This is a serious problem for those who installed MS Office because the XLL file is a kind of DLL and Excel is abused as a LOLBin. It is a well known attack vector used several times in the past. The simplest prevention is to use SRP to block XLL or open by default with an archiving application.
The second method is very easy and can be done via the right-click Explorer context menu:
  1. Create an empty TXT file and change its extension txt ---> xll
  2. Use "Open with " option.
  3. Use "Choose another application" option.
  4. Use "More applications" option.
  5. Tick the combo "always open XLL files ....".
  6. Select the archiving application (for example 7-ZIP).
  7. Press OK.
This operation is reversible after doing the same but finally choosing the Excel application.
When using the archiving application as a default opener of XLL files, the add-ins (XLL files) can be still installed from Excel or simply by using the Explorer context menu ("Open with ..." ---> Excel).

Post corrected.
 
Last edited:

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
"Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
This will help tackle the rise of malware campaigns abusing this infection vector to an ever-growing extent during the last several years.
"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.
Microsoft says the new feature will reach general availability in multi-tenants worldwide in March for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
Excel XLL files are dynamic-link libraries (DLLs) used to extend the functionality of Microsoft Excel by providing additional features, such as custom functions, dialog boxes, and toolbars.
Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.
Once the target double clicks on an unsigned XLL file to open it, they will be warned of "a potential security content," that "add-ins might contain viruses or other security hazards," and prompted to enable the add-in for the current session.
If the add-in is activated (and many people ignore Office alerts without giving them a second glance), it will also deploy a malware payload on the victim's device in the background.
As XLL files are executables and attackers can use them to run malicious code on your computer, you must only open one if you're 100% sure it comes from a trusted source.
Additionally, such files are not generally sent as email attachments but instead installed by a Windows admin. Therefore, if you receive an email or any other message pushing such files, delete the message and report it as spam...."


 

vtqhtr413

Level 26
Verified
Top Poster
Well-known
Aug 17, 2017
1,409
Microsoft wants to help stop you being hit by Excel malware
The days are numbered for hackers using Excel’s XLL features to deliver malware to Microsoft customers, the company has announced. XLL files are similar to DLL files and provide the program with a number of advanced features, including custom functions and toolbars. Crooks have been using XLL files in phishing attacks, successfully delivering malware, infostealers, and possibly even ransomware in some occasions. Now, Microsoft’s first step is to prevent such files downloaded from the internet from running: "In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," the company said in an entry on its Microsoft 365 roadmap. For starters, the change will first come to multi-tenant users globally in March 2023, for Microsoft 365 desktop users with Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
 

Stopspying

Level 19
Verified
Top Poster
Well-known
Jan 21, 2018
814
"Microsoft in March will start blocking Excel XLL add-ins from the internet to shut down an increasingly popular attack vector for miscreants.
In a one-sentence note on its Microsoft 365 roadmap, the vendor said the move was in response to "the increasing number of malware attacks in recent months."
Security researchers have said that after Microsoft began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.
In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.
"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.

That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register.

"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."
Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice.
XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.
And as with VBA macros, users often will disregard the warning.
"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.
Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams.
"To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in."

 
  • Like
Reactions: oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top