Cisco’s Talos security bods predict new wave of Excel Hell

It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft's Windows OS and Office suite.

While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent.

Blocking macros therefore won't deter cybercriminals from targeting Microsoft's signature productivity applications. They'll just have to find other options.

A report released on Tuesday by researchers from Cisco's Talos threat intelligence group dissected one: XLL files in Excel.

Microsoft describes XLL files as "a type of dynamic link library (DLL) file that can only be opened by Excel". They exist to let third-party apps add extra functionality to the spreadsheet.

Miscreants have used XLLs in attacks for several years, with the first malicious samples submitted to VirusTotal in mid-2017.

"For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it," Vanja Svajcer, outreach researcher for Talos, wrote in the report.

"Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow."

Those high-profile groups include APT10, a China-linked gang also known as Chessmaster, Potassium, and menuPass that has used XLLs to inject the Anel Backdoor malware. TA410, a cyberespionage group also known as Cicada or Stone Panda, is another user. DoNot, another APT group, and Fin7, a Russia-based organization are also admirers. Fin7 earlier this year began using XLLs sent as attachments in malicious emails. The downloaders appear to have been built with the Excel-DNA .NET framework, according to Svajcer.

Commodity malware families using XLLs include Dridex and FormBook, an inexpensive info-stealer that is offered to miscreants through a service and which can record keystrokes, steal passwords, and take screenshots. The downloader is delivered via email as an invoice sent to a user.

Users can introduce code to applications that are called Office add-ins and are meant to improve an application's performance or appearance. They can be delivered as Office documents containing VBA code or modules with compiled functionality, which can be collected .NET VSTO plugins, COM servers, or as dynamic loading libraries (DLL) with a specific filename extension.

They add ins for Excel are different than with an application like Word. With Excel, if a user wants to open a file with a .XLL extension in Windows Explorer, the system will automatically try to launch Excel and open the file. Before it's loaded, Excel displays a warning about possibly dangerous code similar to one shown after an Office document that includes VBA macro code is opened.

In both examples, users often tend to disregard the warning.

"XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code," Svajcer wrote.

Native XLL add-ins are written in C++, created via the Excel XLL SDK and include an xlAutoOpen exported function. There also are projects like Excel-DNA and Add-In Express that enable developers to create XLL add-ins using such .NET languages as C# and VB.NET. The free Excel-DNA is among the most widely used.

The popularity of XLLs appears to be rising. In a search of VirusTotal, Talos found monthly submissions of malicious native and Excel-DNA samples spiking last year, with use continuing into this year.

Recent XLL-based campaigns include one seen in August delivering the Warzone RAT (aka AveMaria) with a fraudulent email masquerading as a message from the Hungarian police. The attachment is a .NET-based XLL file.

Ducktail is an info-stealer aimed at the digital advertising space sent by an attacker in Vietnam. It steals browser-stored credentials and cookies to gain access to details of the victim's Facebook friends and business contacts. The crooks also contact victims via LinkedIn and WhatsApp. Talos in September detected a Ducktail file created using Excel-DNA named "Details of Project Marketing Plan and Facebook Google Ads Results Report."

Enterprises should expect more XLL-based malware attacks.

"As more and more users adopt new versions of Microsoft Office, it is likely that threat actor will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," he wrote. ®