Posted on December 29, 2022 at 3:15 PM
In the recent months, threat actors have changed the manner in which they conduct attacks on Microsoft Office applications. These attacks have been fuelled by Microsoft’s action to block Virtual Basic for Applications (VBA) macros by default on Office files that have been downloaded from the internet. The attackers have now switched to using Excel add-ins as an initial intrusion vector.
APT hackers use Excel add-ins as an initial intrusion vector
A report published by Cisco Labs noted that advanced persistent threat (APT) actors and malware hackers were using Excel add-in files (.XLL) as an initial intrusion vector when conducting malware campaigns.
The excel documents that were weaponized by the threat actors were sent to the targets through spear-phishing emails and other tactics used to conduct social engineering attacks. This remains one of the most popular tactics used by the threat actors to access the target’s devices and execute a malicious code.
The Office documents that have been weaponized by the attackers prompt the victims to run macros to access content that does not appear harmful. However, accessing this content triggers the execution of the malware into the victim’s device. The hackers have configured the malware ton operate stealthily without being detected.
The counter such malicious attacks, Microsoft supported a critical change that commenced in July this year. Through this change, Microsoft blocks macros contained in Microsoft Office files that have been sent through email messages. This severs the attack vector of the hackers.
The blockage feature applies to the newer versions of Microsoft office applications such as Word, Excel, Access, PowerPoint, and Visio. Threat actors have now been looking for ways around the blockage feature by looking for new infection routes that will be used to deploy the malware.
One of the methods that the hackers are exploring is using XLL files. Microsoft has described the files as a “type of dynamic link library (DLL) file that can only be opened by Excel. According to the researchers at Cisco Labs, these files can be opened by the victim without them knowing that they are malicious.
Vanja Svajcer, a researcher at Cisco Labs, said that “XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code.”
The analysis conducted by Cisco Labs last week further noted that the threat actors were using multiple add-ins programmed in C++. Some of the add-ins were also created using a tool known as Excel-DNA. The tool has reported a notable increase in usage since mid-2021, and the number of users has continued to grow this year.
The first documented instance of the XLL files being used maliciously was in 2017. At the time, APT10, a threat actor group based in China, used the technique to launch a backdoor into memory. TA410, which has close ties to APT10, has also used the technique. Malware families like Agent Tesla, Arkei, Buer, Ducktail among others have also used this attack strategy.
Svajcer further noted that as the adoption of new versions of Microsoft office grows, threat actors were more likely to turn away from malicious documents based in VBA to other formats like XLLs or use exploits of newly detected vulnerabilities to execute malicious code for Office applications.
Microsoft Publisher macros use Ekipa RAT
Ekipa RAT obtained an update in November 2022 allowing it to leverage the Microsoft Publisher macros and drop the remote access trojan to access sensitive details. Ekipa has also been linked to the latest technique of using XLL Excel add-ins to run malicious campaigns.
A report by Trustwave noted that Excel was not the only Microsoft Office application that was vulnerable to such exploits. Trustwave noted that as with Excel and Word, Publisher files could contain macros that execute commands once the file is opened or closed. This makes such files ideal initial attack vectors for the threat actor.
Microsoft has placed restrictions in place to prevent macros from running through files that have been downloaded from the internet. However, these restrictions do not apply to Publisher files, allowing the threat actors to use this technique to conduct phishing campaigns.
Wojciech Cieslak, a researcher from Trustwave, noted that the Ekipa RAT illustrated how hackers changed their attack techniques to remain proactive and not be detected and blocked by defense mechanisms that have been put in place. Therefore, the creators behind the recent malware targeting Microsoft office were tracking the changes that had been installed by Microsoft to block macros, and they had changed their tactics to match the changes.