Attackers are using XLL files to embed malicious code in Office documents, according to researchers at Cisco Talos. Microsoft is phasing out the ability to execute VBA macros in Office documents. These macros have been one of the most popular ways to deliver malware, so attackers are turning to new ways to smuggle malicious code.
“Add-ins are simply pieces of executable code, in various formats and capabilities, that can be added to Office applications in order to enhance the application’s appearance or functionality,” the researchers write. “Add-ins may come in a form of specific Office documents containing VBA code or modules containing compiled functionality, whether the compiled functionality is contained in .NET bytecode (VSTO plugins), in a form of COM servers or in a form of dynamic loading libraries (DLL) renamed with a specific filename extension.”
If a user opens an XLL file, the system will automatically launch Excel, although users will see a security warning before the malicious code is allowed to execute.
“Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included,” the researchers write. “This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened. Unfortunately, this protection technique is often ineffective as a protection against the malicious code as many users tend to disregard the warning.”
Nation-state actors and sophisticated criminal groups have been using XLL files for several years, and the technique is growing in popularity.
“Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor,” the researchers write. “We also identified that their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector. As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications.”
New-school security awareness training can enable your employees to thwart evolving social engineering tactics.
Cisco Talos has the story.
New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!
