- Jul 27, 2015
It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft's Windows OS and Office suite.
While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent. Blocking macros therefore won't deter cybercriminals from targeting Microsoft's signature productivity applications. They'll just have to find other options. A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel. Microsoft describes XLL files as "a type of dynamic link library (DLL) file that can only be opened by Excel". They exist to let third-party apps add extra functionality to the spreadsheet. Miscreants have used XLLs in attacks for several years, with the first malicious samples submitted to VirusTotal in mid-2017.
"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report. "Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow."
Users can introduce code to applications that are called Office add-ins and are meant to improve an application's performance or appearance. They can be delivered as Office documents containing VBA code or modules with compiled functionality, which can be collected .NET VSTO plugins, COM servers, or as dynamic loading libraries (DLL) with a specific filename extension. They add ins for Excel are different than with an application like Word. With Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file. Before it's loaded, Excel displays a warning about possibly dangerous code similar to one shown after an Office document that includes VBA macro code is opened. In both examples, users often tend to disregard the warning.
"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.