"Cisco Talos Report: Threat Actors Use Known Excel Vulnerability"

Some cybercriminals have traditionally targeted Microsoft Office files, specifically Excel and Word documents. Attackers have used embedded Visual Basic for Applications (VBA) macros to infect computers with various types of malware for cybercrime and cyber espionage using a variety of tactics. In most instances, users were still required to click an agreement before executing code within these programs. However, social engineering techniques have convinced victims to click and permit the execution of malicious macros. Malware can also be launched through the direct exploitation of vulnerabilities without user engagement. According to new research from Cisco Talos, threat actors may exploit Excel event handling functions to automatically launch .XLL files. The malicious code is executed when the Excel Add-In manager invokes the xlAutoOpen or xlAutoClose functions. Cisco Talos researchers used specific queries in VirusTotal to identify malicious .XLL files and offer YARA rules to look for them. They divided the native .XLL samples created with the Microsoft .XLL Software Development Kit (SDK) and samples generated with the ExcelDNA framework, which is free and is commonly used by threat actors. Long before Microsoft began blocking documents containing VBA macros, threat actors were exploiting .XLL file vulnerabilities. Until July 2017, no possibly harmful samples were submitted, according to Cisco Talos experts. The first .XLL payload discovered on the VirusTotal platform ran calc.exe, a common testing approach used by penetration testers and cybercriminals. The second sample, also provided that month, launched a Meterpreter reverse shell, which may be used for penetration testing or malicious purposes. Following that activity, .XLL files infrequently appeared until the end of 2021, when infamous malware families such as Dridex and FormBook began employing them. This article continues to discuss malicious .XLL file exploitation in the wild, which threat actors exploit .XLL files, and how to protect against the .XLL security threat.

TechRepublic reports "Cisco Talos Report: Threat Actors Use Known Excel Vulnerability"