- Jul 27, 2015
- 5,458
Cisco’s Talos security bods predict new wave of Excel Hell
Criminals have noticed that spreadsheet's XLL files add custom functionality - including malware
www.theregister.com
Cisco’s Talos Security Predict New Wave of Excel Hell
- Thread starter upnorth
- Start date
www.theregister.com
- Dec 23, 2014
- 8,626
This is a serious problem for those who installed MS Office because the XLL file is a kind of DLL and Excel is abused as a LOLBin. It is a well known attack vector used several times in the past. The simplest prevention is to use SRP to block XLL or open by default with an archiving application.
The second method is very easy and can be done via the right-click Explorer context menu:
When using the archiving application as a default opener of XLL files, the add-ins (XLL files) can be still installed from Excel or simply by using the Explorer context menu ("Open with ..." ---> Excel).
Post corrected.
The second method is very easy and can be done via the right-click Explorer context menu:
- Create an empty TXT file and change its extension txt ---> xll
- Use "Open with " option.
- Use "Choose another application" option.
- Use "More applications" option.
- Tick the combo "always open XLL files ....".
- Select the archiving application (for example 7-ZIP).
- Press OK.
When using the archiving application as a default opener of XLL files, the add-ins (XLL files) can be still installed from Excel or simply by using the Explorer context menu ("Open with ..." ---> Excel).
Post corrected.
Last edited:
- Jan 21, 2018
- 814
"Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
This will help tackle the rise of malware campaigns abusing this infection vector to an ever-growing extent during the last several years.
"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.
Microsoft says the new feature will reach general availability in multi-tenants worldwide in March for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
Excel XLL files are dynamic-link libraries (DLLs) used to extend the functionality of Microsoft Excel by providing additional features, such as custom functions, dialog boxes, and toolbars.
Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.
Once the target double clicks on an unsigned XLL file to open it, they will be warned of "a potential security content," that "add-ins might contain viruses or other security hazards," and prompted to enable the add-in for the current session.
If the add-in is activated (and many people ignore Office alerts without giving them a second glance), it will also deploy a malware payload on the victim's device in the background.
As XLL files are executables and attackers can use them to run malicious code on your computer, you must only open one if you're 100% sure it comes from a trusted source.
Additionally, such files are not generally sent as email attachments but instead installed by a Windows admin. Therefore, if you receive an email or any other message pushing such files, delete the message and report it as spam...."
www.bleepingcomputer.com
This will help tackle the rise of malware campaigns abusing this infection vector to an ever-growing extent during the last several years.
"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," Redmond says.
Microsoft says the new feature will reach general availability in multi-tenants worldwide in March for desktop users in the Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
Excel XLL files are dynamic-link libraries (DLLs) used to extend the functionality of Microsoft Excel by providing additional features, such as custom functions, dialog boxes, and toolbars.
Attackers are using XLL add-ins in phishing campaigns to push various malicious payloads in the form of download links or attachments camouflaged as documents from trusted entities such as business partners or as fake advertising requests, holiday gift guides, and website promotions.
Once the target double clicks on an unsigned XLL file to open it, they will be warned of "a potential security content," that "add-ins might contain viruses or other security hazards," and prompted to enable the add-in for the current session.
If the add-in is activated (and many people ignore Office alerts without giving them a second glance), it will also deploy a malware payload on the victim's device in the background.
As XLL files are executables and attackers can use them to run malicious code on your computer, you must only open one if you're 100% sure it comes from a trusted source.
Additionally, such files are not generally sent as email attachments but instead installed by a Windows admin. Therefore, if you receive an email or any other message pushing such files, delete the message and report it as spam...."
Microsoft plans to kill malware delivery via Excel XLL add-ins
Microsoft is working on adding XLL add-in protection for Microsoft 365 customers by including automated blocking of all such files downloaded from the Internet.
- Aug 17, 2017
- 1,609
Microsoft wants to help stop you being hit by Excel malware
www.techradar.com
Microsoft wants to help stop you being hit by Excel malware
XLL files downloaded from the internet are getting the Microsoft ban hammer
www.techradar.com
- Apr 13, 2013
- 3,224
This has been a popular method of pushing out various RAT's. Curious that MS is interested in the Excel attack but has been silent on the newer but similar (mechanism-wise) OneNote malware.
- Jan 21, 2018
- 814
"Microsoft in March will start blocking Excel XLL add-ins from the internet to shut down an increasingly popular attack vector for miscreants.
In a one-sentence note on its Microsoft 365 roadmap, the vendor said the move was in response to "the increasing number of malware attacks in recent months."
Security researchers have said that after Microsoft began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.
In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.
"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.
That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register.
"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."
Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice.
XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.
And as with VBA macros, users often will disregard the warning.
"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.
Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams.
"To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in."
www.theregister.com
In a one-sentence note on its Microsoft 365 roadmap, the vendor said the move was in response to "the increasing number of malware attacks in recent months."
Security researchers have said that after Microsoft began blocking Visual Basic for Application (VBA) macros by default in Word, Excel, and PowerPoint in July 2022 to cut off a popular attack avenue, threat groups began using other options, such as LNK files and ISO and RAR attachments.
In December, Cisco's Talos threat intelligence group detailed another tool that cybercriminals were targeting: Excel XLL files. The Talos researchers not only broke down how the crooks use the XLL files but detailed a sharp increase in their use since Microsoft shut the VBA macros door, noting that the first malicious samples were submitted to VirusTotal in 2017.
"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.
That shouldn't come as a surprise, Dave Storie, adversarial collaboration engineer at LARES Consulting, told The Register.
"When organizations like Microsoft reduce the attack surface or otherwise increase the effort required to execute an attack on their product offerings, it forces threat actors to explore alternate avenues," Storie said. "This often leads to exploring previously known, perhaps less ideal, options for threat actors to achieve their objectives."
Even before this year, some researchers were seeing miscreants make their way to XLL files. Researchers with HP's Wolf Security said that in Q4 2021, there was a 588 percent year-over-year jump in attackers using the files to compromise systems, adding that they expected the trend to continue in 2022, though it was unclear at the time if Excel add-ins would replace Office macros as the cyber-weapon of choice.
XLL files are a type of DLL file that are only opened in Excel and enable third-party applications to add more functionality to spreadsheets. In Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file, triggering Excel to display a warning about possible dangerous code, similar to that shown when an Office document containing VBA macro code is opened.
And as with VBA macros, users often will disregard the warning.
"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.
Andrew Barratt, vice president at Coalfire, told The Register that reducing the number of dialog boxes which users have to deal with – and that cybercriminals know will be ignored by many – is a win for security teams.
"To steal a typical infosec buzzword, the best way to think of these are like 'next-gen' macro attacks," Barratt said. "As with many of these types of attacks, the best position for the software to take is to disable the capability and have a prompt-and-alert process. The challenge is that over time we see the 'are you sure, you're sure' fatigue set in."
Microsoft to block Excel XLL files from the internet
More of them used by baddies since Redmond blocked VBA macros
www.theregister.com
Similar threads
