Cybercrooks amp up attacks via macro-enabled XLL files

2023-11-01 14:45

Xlam files are now the seventh most commonly abused file extension in Q3 2023, rising 35 places from 42nd on the list in Q2. XLL attacks aren't new and researchers observed a lull in exploits at the start of 2023, but a surge in attention has been given to them in the past few months.

XLL files offer attackers greater capabilities compared to alternatives like Visual Basic for Applications macros, which are now blocked by default courtesy of Microsoft's 2022 intervention, a move that was seen at the time as long overdue.

The latest finding is another example of how attackers continue to evolve their tactics to leverage seemingly benign Microsoft Office documents to distribute malware.

Since Microsoft announced it would block VBA macros by default, then briefly backtracked before blocking them again, attackers have been experimenting with different file types to launch their malware attacks.

Attackers demonstrated how they were able to bypass the XLL block earlier this year during a Parallax remote access trojan campaign from July.

Masquerading as scanned invoices, the XLL attachments sent to users are thought to have come from compromised email accounts, meaning the location of the XLL would likely have been considered "Trusted," therefore bypassing many of the default security measures against the file type.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/11/01/xll_macro_attack_surge/

#attack #cybercrooks #macro