Skip links

Cybercrooks amp up attacks via macro-enabled XLL files

Cybercriminals are once again abusing macro-enabled Excel add-in (XLL) files in malware attacks at a vastly increased rate, according to new research.

HP Wolf Security revealed that .xlam files are now the seventh most commonly abused file extension in Q3 2023, rising 35 places from 42nd on the list in Q2.

XLL attacks aren’t new and researchers observed a lull in exploits at the start of 2023, but a surge in attention has been given to them in the past few months.

XLL files offer attackers greater capabilities compared to alternatives like Visual Basic for Applications (VBA) macros, which are now blocked by default courtesy of Microsoft’s 2022 intervention, a move that was seen at the time as long overdue.

They extend Excel’s functionality, facilitate more effective attacks due to features like multithreading support, and have been adopted in the past by developers of malware families such as Dridex, Agent Tesla, Raccoon Stealer, and Formbook.

Macro-enabled XLL files can be implemented in a number of ways, with many attackers opting to use them as a malware dropper directly inside the document, rather than a means to download payloads from the web.

The latest finding is another example of how attackers continue to evolve their tactics to leverage seemingly benign Microsoft Office documents to distribute malware.

Since Microsoft announced it would block VBA macros by default, then briefly backtracked before blocking them again, attackers have been experimenting with different file types to launch their malware attacks.

The ubiquity of Microsoft Office documents in the business world means they are perceived by many as inherently safe, making them an ideal medium through which criminals can launch attacks.

After the block on VBA macros, .LNK files became the de facto replacement before OneNote file experimentation took hold, along with ISO and RAR attachments.

Microsoft also made the decision to block XLL attachments from untrusted locations by default at the start of this year, making the surge in use noteworthy.

By default, XLL files that originate from locations not explicitly designated as “trusted” are blocked for users. Microsoft has said that most people will never need to use add-ins as they aren’t required for typical Excel use cases.

Abuse in active attacks

Attackers demonstrated how they were able to bypass the XLL block earlier this year during a Parallax remote access trojan (RAT) campaign from July.

Masquerading as scanned invoices, the XLL attachments sent to users are thought to have come from compromised email accounts, meaning the location of the XLL would likely have been considered “trusted,” therefore bypassing many of the default security measures against the file type.

Taking advantage of add-ins’ multithreading capability, the malware used the aforementioned dropper method of deploying the payload. When first opened, the xlAutoOpen function, which contains the malicious code, is run to load various system libraries and dynamically resolve their functions.

Then, on one thread, the malware writes an executable “lum.exe” under a new folder in C:\ProgramData. A new registry key called ‘ID’ is created under HKEY_CURRENT_ USER\Software\Intel with the executable’s folder name set as its value. Lum.exe is then launched.

Taking place on another thread are efforts to increase the perceived legitimacy of the file – a dummy invoice file, which is just a legitimate invoice template taken from the web, is saved to the victim’s disk.

The Parallax RAT uses multiple techniques to evade detection, such as process hollowing, and from there becomes operational.

The researchers said it’s often available to buy for around $65 per month and offers attackers capabilities such as remote control access to victim machines, data exfiltration, and credential theft.

A similar campaign was also observed targeting LATAM hotels with add-in files but for PowerPoint rather than Excel. Again, it involved the installation of a RAT – this time it was XWorm which has capabilities beyond remote desktop control including keylogging and clipboard hijacking.

Separately, XWorm attacks appear to be spreading using different techniques. Trellix spotted a campaign from late July targeting organizations across various industries but this time in the US, Republic of Korea, and Germany mainly.

The delivery mechanism here was different too, with the attackers instead opting for malicious URLs embedded in .pdf, .docx, and .rtf formats. ®