Read Time:1 Minute, 30 Second
Cisco Talos notes that since Microsoft decided to turn off Visual Basic for Applications (VBA) macros for Office files downloaded from the internet, the usage of Excel add-in (.XLL) files as an initial attack vector is now on the rise.
Attackers frequently use spear-phishing emails and other social engineering techniques to distribute weaponised Office documents, asking users to activate macros to read what appears to be innocent content. But in reality, this starts the malware’s covert background execution.
In July 2022, Microsoft disabled macros in Office documents attached to emails, closing a significant attack vector.
But malicious individuals are already experimenting with different infection pathways, such as XLL files.
“XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code,” Vanja Svajcer, a researcher at Cisco Talos, stated in a study that was released last week.
According to a cybersecurity company, threat actors reportedly utilise native add-ins made with Excel-DNA and those developed in C++, a combination whose use has dramatically expanded since mid-2021.
In 2017, the Chinese-linked APT10 attacker employed process hollowing to inject its backdoor payload into memory, marking the first time XLL was allegedly used maliciously.
“As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications,” Svajcer stated.
Everyone must be on guard since threat actors are always aware of the newest security industry advancements. To continue evading security measures, they are also adapting their methods and techniques in line with this.
Happy
0 %
Sad
0 %
Excited
0 %
Sleepy
0 %
Angry
0 %
Surprise
0 %
0
0
