The days are numbered for hackers using Excel’s XLL features to deliver malware to Microsoft customers, the company has announced.
XLL files are similar to DLL files and provide the program with a number of advanced features, including custom functions and toolbars.
Crooks have been using XLL files in phishing attacks, successfully delivering malware, infostealers, and possibly even ransomware in some occasions.
TechRadar Pro needs you! (opens in new tab) We want to build a better website for our readers, and we need your help! You can do your bit by filling out our survey (opens in new tab) and telling us your opinions and views about the tech industry in 2023. It will only take a few minutes and all your answers will be anonymous and confidential. Thank you again for helping us make TechRadar Pro even better.
D. Athow, Managing Editor
A surge in popularity
Now, Microsoft’s first step is to prevent such files downloaded from the internet from running:
"In order to combat the increasing number of malware attacks in recent months, we are implementing measures that will block XLL add-ins coming from the internet," the company said in an entry (opens in new tab) on its Microsoft 365 roadmap.
For starters, the change will first come to multi-tenant users globally in March 2023, for Microsoft 365 desktop users with Current, Monthly Enterprise, and Semi-Annual Enterprise channels.
While weaponized XLL files have probably been around for a lot longer, they began grabbing people’s attention in early 2022, around the time Microsoft decided to prevent Office files downloaded from the internet from running any macros. As threat actors could no longer use macros to deliver malware to target endpoints (opens in new tab), they were increasingly turning towards XLL files.
In early 2022, HP’s cybersecurity arm Wolf Security analyzed data from “the many millions of endpoints” running its software in 2021 and discovered a 588% increase in the use of Excel add-ins to distribute malware.
The researchers are saying this technique is particularly dangerous because the victims only need one click to compromise their endpoints.
Adverts for an .xll dropper and malware builder have also started popping up on underground markets, making it easy for low-level attackers to launch campaigns with devastating consequences.
As usual, the best way to protect against such attacks is to be extra careful when running any files coming via email, or websites whose authenticity cannot be confirmed.
- These are the best malware removal software (opens in new tab) today
Via: BleepingComputer (opens in new tab)