There's been a big rise in phishing attacks using Microsoft Excel XLL add-ins

Cybersecurity researchers warn that multiple forms of malware are being stealthily delivered via Microsoft Excel XLL files.
Written by Danny Palmer, Senior Writer

A wave of cyberattacks is exploiting Microsoft Excel add-in files in order to deliver several forms of malware in campaigns that could leave businesses vulnerable to data theft, ransomware and other cybercrime. 

Detailed by researchers at HP Wolf Security, the campaigns use malicious Microsoft Excel add-in (XLL) files to infect systems and there was an almost six-fold (588%) increase in attacks using this technique during the final quarter of 2021 compared to the previous three months. 

XLL add-in files are popular because they enable users to deploy a wide variety of extra tools and functions in Microsoft Excel. But like macros, they're a tool that can be exploited by cyber criminals. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

The attacks are distributed via phishing emails based around payment references, invoices, quotes, shipping documents and orders that come with malicious Excel documents with XLL add-in files. Running the malicious file prompts users to install and activate the add-in, which will secretly run the malware on the victim's machine. 

Malware families identified as being delivered in attacks leveraging XLL files include Dridex, IcedID, BazaLoaderAgent TeslaRaccoon StealerFormbook, and Bitrat. Many of these forms of malware can create backdoors onto compromised Windows systems, providing attackers with the ability to remotely access machines, monitor activity and steal data. 

Researchers also warn that malware backdoors provide attackers with the ability to deliver other malware, including ransomware, meaning the XLL attacks could be exploited as a means of encrypting networks and demanding large ransom payments. 

These XLL attacks are effective at compromising victims – something that's reflected in the prices of those offering services related to them on underground dark web forums.  

Some XLL Excel Dropper services are advertised as costing over $2,000, which is quite expensive for community malware but criminal forum users seem willing to pay the price. 

In addition to the XLL-based campaigns, researchers note that QakBot, a prominent form of trojan malware, often used as a precursor to ransomware attacks, is also abusing Excel to compromise victims. 

Attackers are hijacking email threads in order to deliver malicious Excel documents to their chosen victims, who are sent a ZIP archive containing a Microsoft Excel Binary Workbook (XLSB). If this is run, QakBot is downloaded onto the machine. 

"Abusing legitimate features in software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly," said Alex Holland, senior malware analyst at HP Wolf Security. 

"Attackers are continually innovating to find new techniques to evade detection, so it's vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe," he added. 

In order to avoid falling victim to the spate of attacks abusing XLL files, it's recommended that administrators configure email gateways to block incoming .xll attachments and only permit add-ins to be delivered by trusted partners – or even disable Excel add-ins entirely. 


Editorial standards