APT Hackers Turn to Malicious Excel Add-ins as Initial Intrusion Vector

2022-12-28 07:12

Now according to Cisco Talos, advanced persistent threat actors and commodity malware families alike are increasingly using Excel add-in files as an initial intrusion vector.

One such method turns out to be XLL files, which is described by Microsoft as a "Type of dynamic link library file that can only be opened by Excel."

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Cisco Talos researcher Vanja Svajcer said in an analysis published last week.

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," Svajcer said.

"Just as with other Microsoft office products, like Excel or Word, Publisher files can contain macros that will execute upon the opening or closing [of] the file, which makes them interesting initial attack vectors from the threat actor's point of view," Trustwave noted.

It's worth noting that Microsoft's restrictions to impede macros from executing in files downloaded from the internet does not extend to Publisher files, enabling adversaries to exploit this avenue for phishing campaigns.

News URL

https://thehackernews.com/2022/12/apt-hackers-turn-to-malicious-excel-add.html

#APT #excel #hacker