Cisco research on XLL Abuse.
the cyberwire logoDec 20, 2022

Talos looks at alternative ways of executing malicious code via Office files.

Cisco research on XLL Abuse.

Researchers at Cisco Talos have published a report looking at the ways in which attackers are using alternative methods to execute malicious code via Office documents, as Microsoft phases out support for VBA macros.

XLLs as a means to deliver malware.

Threat actors have recently started introducing malicious code to documents using Office add-ins, which are “pieces of executable code, in various formats and capabilities, that can be added to Office applications in order to enhance the application’s appearance or functionality.” XLL files specifically are useful for executing malicious code via an Excel document:

“If the user attempts to open a file with the filename extension .XLL in Windows Explorer, the shell will automatically attempt to launch Excel to open the .XLL file. This is because .XLL is the default filename extension for a specific class of Excel add-ins.

“Before an XLL file is loaded, Excel displays a warning about the possibility of malicious code being included. This is a similar approach as the message about potentially dangerous code which is displayed after an Office document containing VBA macro code is opened. Unfortunately, this protection technique is often ineffective as a protection against the malicious code as many users tend to disregard the warning.”

XLL abuse in the wild.

Cisco Talos has observed several high-profile threat actors using XLLs to deliver malware, including the Chinese state-sponsored actor APT10 and the financially motivated gang FIN7. The researchers conclude:

“Even if XLL add-ins existed for some time, we were not able to detect their usage by malicious actors until mid-2017 when some APT groups started using them to implement a fully functional backdoor. We also identified that their usage significantly increased over the last two years as more commodity malware families adopted XLLs as their infection vector.

“As more and more users adopt new versions of Microsoft Office, it is likely that threat actors will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications.”