Security News
Now according to Cisco Talos, advanced persistent threat actors and commodity malware families alike are increasingly using Excel add-in files as an initial intrusion vector. One such method turns out to be XLL files, which is described by Microsoft as a "Type of dynamic link library file that can only be opened by Excel."
Microsoft Office files, particularly Excel and Word files, have been targeted by some cybercriminals for a long time. As exposed in new research from Cisco Talos, threat actors might leverage event handling functions in Excel files in order to automatically launch.
A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel. Microsoft describes XLL files as "a type of dynamic link library file that can only be opened by Excel".
Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins. The latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at Morphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.
The infamous Emotet malware has switched tactics yet again, in an email campaign propagating through malicious Excel files, researchers have found."Emotet's new attack chain reveals multiple stages with different file types and obfuscated script before arriving at the final Emotet payload," Unit 42 researchers Saqib Khanzada, Tyler Halfpop, Micah Yates and Brad Duncan wrote.
The HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks. There was a huge six-fold increase in attackers using malicious Microsoft Excel add-in files to infect systems compared to last quarter - a technique found to be particularly dangerous as it only requires one click to run the malware.
Microsoft has announced that Excel 4.0 macros will now be disabled by default to protect customers from malicious documents. Starting July 2021, Windows admins could also use group policies and users the 'Enable XLM macros when VBA macros are enabled' setting from the Excel Trust Center to disable this feature manually.
Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware. In some phishing lures seen by BleepingComputer, the threat actors have created fake websites to host the malicious Excel XLL files used to install the malware.
During this month's Patch Tuesday, Microsoft has patched an Excel zero-day vulnerability exploited in the wild by threat actors. Microsoft also patched a second Excel security flaw used during the Tianfu Cup hacking contest last month, a remote code execution bug tracked as CVE-2021-40442 and exploitable by unauthenticated attackers.
Microsoft has released security updates as part of its monthly Patch Tuesday release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system. The most critical of the flaws are CVE-2021-42321 and CVE-2021-42292, each concerning a post-authentication remote code execution flaw in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.