The landscape of cyber threats is ever-evolving. As organizations become more vigilant and enhance their defense mechanisms, threat actors adapt and innovate, constantly seeking new ways to breach systems. One such adaptation has emerged in the wake of Microsoft’s decision to block Visual Basic for Applications (VBA) macros in Office files downloaded from the internet. This move was a response to the widespread misuse of macros as a popular intrusion vector. However, it has inadvertently triggered a shift in the tactics employed by advanced persistent threat (APT) actors.
As reported by cybersecurity firm Cisco Talos, both APT actors and commodity malware families are now increasingly utilizing Excel add-in (.XLL) files as an initial intrusion vector. These add-ins, while useful for legitimate Excel users, have become an avenue for malicious code execution. This shift in attack vectors underscores the ongoing cat-and-mouse game between cybersecurity professionals and threat actors. Let’s delve deeper into this phenomenon and understand its implications.
The Shift from Macros to Excel Add-ins
Understanding the Shift
Microsoft’s blockage of macros was aimed at preventing one of the most prevalent methods used by cybercriminals: weaponized Office documents delivered via spear-phishing emails. These documents would prompt victims to enable macros to view content, which in reality triggered the stealthy execution of malware. With this crucial attack vector effectively blocked, bad actors have begun experimenting with alternative infection routes. Excel add-ins, or XLL files, have emerged as a popular choice.
The Threat of XLL Files
Microsoft describes XLL files as a type of dynamic link library (DLL) that can only be opened by Excel. Users can receive these files via email and, despite anti-malware scanning measures, they may open them unaware of the potential for malicious code within. The threat posed by these files is significant. Cybercriminals are employing a mix of native add-ins written in C++ and those developed using a legitimate free tool called Excel-DNA.
History and Growing Popularity
While the usage of XLL files as an intrusion vector may seem like a new development, it’s been around for quite some time. The first documented malicious use of XLL dates back to 2017 when the China-linked APT10 group used it to inject a backdoor payload into memory. Since then, a number of other adversarial groups have followed suit, including TA410, DoNot Team, and FIN7. The use of XLL files to distribute malware like Agent Tesla and Dridex has seen a significant increase.
Future Trends and Vulnerabilities
Anticipating New Threats
As more users adopt newer versions of Microsoft Office, it is likely that threat actors will shift from VBA-based malicious documents to other formats like XLLs. They may also increasingly look to exploit newly discovered vulnerabilities to launch malicious code in the process space of Office applications. This shift in tactics underscores the adaptability of threat actors in response to changing cybersecurity measures.
The Case of Ekipa RAT
One example of a malware that has adapted its approach is Ekipa RAT. This remote access trojan started using XLL Excel add-ins, and in late 2022, it began leveraging Microsoft Publisher macros to infiltrate systems and steal sensitive information. Publisher files can contain macros that execute upon the opening or closing of the file, making them a viable attack vector.
The Risks with Publisher Files
It’s worth noting that Microsoft’s restrictions to hinder macros from executing in files downloaded from the internet do not extend to Publisher files. This oversight provides adversaries with another avenue to exploit for their phishing campaigns. The adaptability demonstrated by Ekipa RAT creators suggests that malware developers closely track changes in the security industry and adjust their tactics accordingly.
Conclusion
The emergence of malicious Excel add-ins as an initial intrusion vector is a stark reminder of the constant evolution of threats. The blockage of macros in Office files by Microsoft, while a necessary and effective measure, has led to an increase in the misuse of other file types. This dynamic calls for continuous vigilance, robust threat intelligence, and proactive defenses on the part of organizations.
Despite the sophistication of these attacks, awareness and preparedness remain crucial deterrents. End users must be educated about the risks associated with different file types, and organizations should ensure robust scanning of all incoming files. Additionally, restrictions on macros should be extended to include other Microsoft Office files to curb these novel attack vectors.
Ultimately, the use of Excel add-ins for malicious purposes underlines the adaptability and tenacity of threat actors. In response, the cybersecurity community must not only keep pace but stay one step ahead to anticipate and counter emerging threats.
