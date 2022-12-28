Microsoft’s decision to to block By default Visual Basic for Applications (VBA) macros for Office files downloaded from the Internet has led many cyber attackers to improvise their attacks in recent months, one such case is the APT hacker group; various “fringes” of this group have operated at other times on different occasions.

According to Cisco Talosthe hackers of this groupwhose acronym means “TOadvanced Ppersistent Threat” and core malware families, increasingly use Excel add-in files (.XLL) as the initial intrusion vector.

How is APT malware an “initial intrusion vector” via Excel add-ins?

Office documents delivered via spear-phishing emails and other social engineering attacks remained a staple, still used today by criminal groups looking to execute malicious code, in this case via macros.

Basically the macros in VBA create a sort of backdoor, with which these malicious people can access a computer, or in any case a computer system remotely, and do damage.

Not surprisingly, these documents convince victims to enable macros to view seemingly harmless content, for the purpose of enable malware to run stealthily in the background.

To counter this misuse, Microsoft has adopted a change crucial as of July 2022 that block macros in Office files attached to e-mail messages, effectively nipping the installation of potential malware in the bud.

While this block only applies to new versions of Access, Excel, PowerPoint, Visio, and Word, bad actors, including APTs, have tried out other roads to distribute their malware around.

One of these methods, also adopted by APTs, would appear to be XLL files, described by Microsoft as a “type of dynamic link library (DLL) file that can only be opened by Excel“.

“XLL files can be sent via email, and even with the usual anti-malware scanning measures, users might be able to open them without knowing that they might contain malicious codeCisco Talos researcher Vanja Svajcer said in an analysis published last week.

The cybersecurity firm said the authors, APT, are employing a mix of native add-ons written in C++ and those developed using a free tool called Excel-DNA, a phenomenon that has significantly spiked since mid-2021 and which continued until this year.

That said, the first publicly documented malicious use of XLL is thought to have occurred in 2017, when one of the APTs, dubbed APT10 (or even Stone Panda, already known on other occasions) linked to China, used the technique to inject the its payload backdoors into memory via a particular technique called “process hollowing”“emptying process” with a lame translation.

Other notable hacking “artists” include TA410 (an author with links to APT10), DoNot Team, FIN7, as well as core malware families such as Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID , Vidar Stealer and Warzone RAT.

The abuse of the XLL file format to distribute Agent Tesla and Dridex was previously documented by Palo Alto Networks Unit 42, reporting that “could indicate a new trend in the threat landscape [informatiche]“.

“As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will move away from malicious VBA-based documents to other formats such as [i file di estensione] XLL or will rely on exploiting newly discovered vulnerabilities to spin malicious code in the Office Applications process space“Svajcer said.

Malicious Microsoft Macros Push Ekipa RAT (or Ekipa RAT#)

Ekipra RATin addition to incorporating XLL Excel add-ons, also received an update in November 2022 that allows it to take advantage of Microsoft Publisher macros to eliminate the remote access trojan and steal sensitive information, in practice, after stealing information, it self-deletes so as not to be detected.

“Just as with other Microsoft office products, such as Excel or Word, Publisher files can contain macros that will run when opened or closed [del] files, which makes them attractive initial attack vectors from a threat attacker’s perspective“, makes known Trustwave.

It’s worth saying that Microsoft’s restrictions to prevent macros from running in files downloaded from the Internet don’t extend to Publisher files, making them a potential avenue for attacks via Publisher.

“The Ekipa RAT is a great example of how bad guys are constantly changing their techniques to keep up with defenders [come esperti informatici o programmi per difendersi tipo antivirus]“said Wojciech Cieslak, researcher at Trustwave. “The creators of this malware are monitoring changes in the security industry such as Microsoft blocking Internet macros and adjusting their tactics accordingly“.

To make it easy: do you know that annoying Windows Defender that you may have deactivated thinking of doing a trick? Very often instead in cases like these it proves useful, even if here APT and company try to make sure that these threats are not detected.

Beware of emails: we are business as usual

As you can see, the “attacks” happen precisely because they are very often there is no proper attention from the end user.

In a certain sense, as in the case of the inappropriateness of speaking of a “ransomware attack”, it is also inappropriate here to speak of a real attack, since the real enemy is the user’s carelessness.

While it is true that very often these deceptive emails are accurate, it is good check that the sender’s address does not have a series of numbers and letters placed in a strange order; unfortunately this, which should be the first check, especially by those who work, is the last thing you notice.