Cybercriminals increasingly utilizing Excel add-in files to spread malware: HP report

The HP Wolf Security threat research team has identified a wave of attacks utilizing Microsoft Excel add-in files to spread malware and expose businesses and individuals to data theft and destructive ransomwares. This technique is particularly dangerous as it only requires one click to run the malware, the researchers say.

According to HP's latest global Wolf Security Threat Insights Report, there was a near-sixfold surge (+588%) in attackers using malicious Microsoft Excel add-in (.xll) files to infect systems during Q4, 2021, compared to the third quarter, with the researchers expecting the trend to continue throughout 2022.

The researchers also found adverts for .xll dropper and malware builder kits on underground markets that make it easier for inexperienced attackers to launch campaigns. The team recommends the following mitigations:

• Configure your email gateway to block inbound emails containing XLL attachments
• Configure Excel only to permit add-ins signed by trusted publishers
• Configure Excel to disable proprietary add-ins entirely

"Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly. For example, based on the spike in malicious .xll sightings we are seeing, I'd urge network administrators to configure email gateways to block incoming .xll attachments, only permit add-ins signed by trusted partners or disable Excel add-ins entirely," noted Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

The HP Wolf Security threat research team also highlighted a spam campaign, QakBot, that used Excel files to trick targets, using compromised email accounts to hijack email threads and reply with an attached malicious Excel (.xlsb) file. Once delivered, QakBot injects itself into legitimate Windows processes to evade detection.

Other notable threats reviewed by the Wolf Security Threat Insights Report include:

• MirrorBlast - A new email phishing campaign sharing many tactics, techniques, and procedures (TTPs) with TA505, a notorious financially motivated threat actor.
• RedLine malware - A spoofed Discord installer website tricking visitors into downloading the RedLine infostealer and stealing their credentials.
• PowerPoint malware - Aggah, a financially motivated threat actor, targeted Korean-speaking organizations with malicious PowerPoint add-in (.ppa) files disguised as purchase orders, delivering a remote access Trojan (RAT).

"Organizations should focus on reducing the attack surface and enabling quick recovery in the event of compromise. This means following Zero Trust principles and applying strong identity management, least privilege and isolation from the hardware level," noted Dr. Ian Pratt, Global Head of Security for Personal Systems, HP Inc.

For more information, read HP's official release.