Security News > 2022 > December > Cisco’s Talos security bods predict new wave of Excel Hell

Cisco’s Talos security bods predict new wave of Excel Hell
2022-12-21 00:08

A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel.

Microsoft describes XLL files as "a type of dynamic link library file that can only be opened by Excel".

"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.

Native XLL add-ins are written in C++, created via the Excel XLL SDK and include an xlAutoOpen exported function.

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actor will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," he wrote.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/12/21/microsoft_talos_excel_xll_threats/