In July 2022, Microsoft made a crucial development to its Office software that blocks macros in Office files attached to email messages. While this block only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors, including APTs, have tried out other roads to distribute their malware around.
Now according to Cisco Talos, advanced persistent threat (APT) actors and commodity malware families alike are increasingly using Excel add-in (.XLL) files as an initial intrusion vector.
The cybersecurity firm said the authors, APT, are employing a mix of native add-ons written in C++ and those developed using a free tool called Excel-DNA, a phenomenon that has significantly spiked since mid-2021 and which continued until this year.
when one of the APTs, dubbed APT10 (or even Stone Panda, already known on other occasions) linked to China, used the technique to inject the its payload backdoors into memory via a particular technique called “process hollowing”“emptying process” with a lame translation.
Use of Excel Add-in
The use of XLL files as an initial intrusion vector presents a number of advantages for threat actors.XLL files can be easily disguised as other types of files, making it difficult for users to identify them as potentially malicious.
In addition to the use of XLL files and Publisher macros, there are many other potential initial intrusion vectors that threat actors may explore. This could include the use of different types of Office files, such as Word or PowerPoint, as well as the exploitation of vulnerabilities in Office applications or operating systems.
Recommendations to protect against the .XLL attack :
- Set up your email gateway to block any incoming emails with attachments in XLL. Since .XLL files are dynamic link libraries (DLL) , several email gateways are already blocking it.
- Configure Excel to accept only add-ins from trusted publishers.
- Disable all proprietary add-ins on the excel
IOCS Excel Add-in
fdfdfc8878f39424920d469bcd05060a6f7c95794aaa2422941913553d3dd01f – Meterpreter
a5d46912f0767ae30bc169a85c5bcb309d93c3802a2e32e04165fa25740afac1 – Anel
9dd2425c1a40b8899b2a4ac0a85b047bede642c5dfd3b5a2a2f066a853b49e2d – TA410
d8286133d3d21b7e2b83a6c071147b8ef993e963ad6bdb0f95d665869557a444 – Donot sample
7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08 – FIN7
f2c5327b7bf88c65d0552d8664aca2ac542c8d37ae19582ba56690f1df420b53 – Dridex downloader
55228eec31193a900e8216ab245391f1e40feb742d780caa91fdb1000d8434c2 – Formbook downloader
f5c27b7bdea3861a9414a0dc6b08556ea50423d63297e08eedff69ae9c240cae – Warzone, Lokibot downloader
d7c3dd8bc55649b2a77dc921e70f5f208946f64aedfdaabd7b02a247669a73aa – Ducktail dropper/downloader