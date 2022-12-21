Microsoft may have blocked macros from running by default in its Office suite, but there are workarounds, researchers say.

According to a new report from Cisco Talos, several months after the ban was introduced, one specific solution is an increase in adoption in the cybercrime community.

The team alleges that cybercriminals are increasingly using XLL files (as opposed to XLS and XLSX) to send malicious code to target endpoints (opens in new tab).

Growing in popularity

XLL files are “a type of dynamic link library (DLL) file that can only be opened by Excel,” the researchers explain. In other words, XLL files allow Microsoft Excel spreadsheets to take advantage of additional functionality that comes from third-party apps.

While the weaponization of XLL files is nothing new (the first examples were reported as far back as 2017, it was said), these files were rarely used until Microsoft decided to block the execution of macros in files downloaded from the Internet. Now, since 2021, more malware families have started implementing the alternative solution.

“For quite some time after that [mid-2017]XLL file usage is sporadic and won’t increase significantly until late 2021, when mainstream malware families like Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Cisco Talos, noted in the report.

“Currently, a significant number of advanced persistent threat actors and commodity malware families use XLLs as an infection vector and this number continues to grow.”

Among the groups using XLL files is the Chinese threat actor APT10 (AKA Potassium), who used it to spread the Anel Backdoor. Then there’s Cicada (AKA Stone Panda, TA410), a group supposedly “loosely connected” to APT10, as well as DoNot and Fin7.

Apparently, the threat actors have been using XLL files to deliver various malware families, such as Warzone RAT or Ducktail. Businesses are warned to expect an increasing number of such threats in the future.

Through: The register (opens in new tab)