Tag Archive for: Excel

Cisco’s Talos security bods predict new wave of Excel Hell • The Register

/in


It took a few years and one temporary halt, but in July Microsoft finally began blocking certain macros by default in Word, Excel, and PowerPoint, cutting off a popular attack vector for those who target users of Microsoft’s Windows OS and Office suite.

While recent versions of Office block Visual Basic for Applications (VBA) macros by default, older versions of the suite and its component programs remain enormously prevalent.

Blocking macros therefore won’t deter cybercriminals from targeting Microsoft’s signature productivity applications. They’ll just have to find other options.

A report released on Tuesday by researchers from Cisco’s Talos threat intelligence group dissected one: XLL files in Excel.

Microsoft describes XLL files as “a type of dynamic link library (DLL) file that can only be opened by Excel”. They exist to let third-party apps add extra functionality to the spreadsheet.

Miscreants have used XLLs in attacks for several years, with the first malicious samples submitted to VirusTotal in mid-2017.

“For quite some time after that, the usage of XLL files is only sporadic and it does not increase significantly until the end of 2021, when commodity malware families such as Dridex and Formbook started using it,” Vanja Svajcer, outreach researcher for Talos, wrote in the report.

“Currently a significant number of advanced persistent threat actors and commodity malware families are using XLLs as an infection vector and this number continues to grow.”

Those high-profile groups include APT10, a China-linked gang also known as Chessmaster, Potassium, and menuPass that has used XLLs to inject the Anel Backdoor malware. TA410, a cyberespionage group also known as Cicada or Stone Panda, is another user. DoNot, another APT group, and Fin7, a Russia-based organization are also admirers. Fin7 earlier this year began using XLLs sent…

Source…

Latest cyber threat highjacks MS Excel

/in


The United States formally accused cyber actors affiliated to China’s Ministry of State Security of conducting the massive Microsoft Exchange Server hack disclosed in March – © AFP/File FARSHAD USYAN

Security researchers are warning about a phishing campaign that is targeting employees in financial services using links that download a ‘weaponized’ Excel document. Researchers who have analyzed the malware at the heart of this new attack wave have noted the malicious Excel files can bypass malware-detection systems.

This ability to slip by established anti-viral systems is because the malware contains lightweight embedded macros, making it dangerous for organizations that depend on detection-based security and sandboxing.

The emails being sent out claim to come from the Johns Hopkins Center bearing the title “WHO COVID-19 SITUATION REPORT”.

Weighing up this new risk for Digital Journal is Troy Gill, who is the Senior Manager of Threat Intelligence at Zix | AppRiver.

Gill begins his review weighing up why the finance sector appears to be a big target and why it has some inherent vulnerabilities.

Gill notes: “The financial industry is a top target for cybercriminals who continue to find new ways to obtain the endless sensitive client and customer information organizations in this industry store.”

As to why the specific mode of attack has been rolled out, Gill speculates: “Email attackers are also increasingly using customized phishing campaigns to target users as we saw with this phishing campaign where attackers exploited company-issued information about COVID-related changes to working arrangements.”

There is a common theme to this, says Gill: “The shifting of tactics seen in this phishing campaign are representative of many different malware groups, all of whom are constantly adapting their attacks to avoid detection. “

The extent of the threat means that mechanisms are need to counter-act the threats. Here Gill observes: “This is why it is important to have security controls in place that are not just robust but also nimble and adaptable to these ever-evolving threats.”

Furthermore he recommends: “This attack is a great…

Source…

Cybercriminals Widely Abusing Excel 4.0 Macro to Distribute Malware

/in


Threat actors are increasingly adopting Excel 4.0 documents as an initial stage vector to distribute malware such as ZLoader and Quakbot, according to new research.

The findings come from an analysis of 160,000 Excel 4.0 documents between November 2020 and March 2021, out of which more than 90% were classified as malicious or suspicious.

password auditor

“The biggest risk for the targeted companies and individuals is the fact that security solutions still have a lot of problems with detecting malicious Excel 4.0 documents, making most of these slip by conventional signature based detections and analyst written YARA rules,” researchers from ReversingLabs said in a report published today.

Excel 4.0 macros (XLM), the precursor to Visual Basic for Applications (VBA), is a legacy feature incorporated in Microsoft Excel for backward compatibility reasons. Microsoft warns in its support document that enabling all macros can cause “potentially dangerous code” to run.

The ever-evolving Quakbot (aka QBOT), since its discovery in 2007, has remained a notorious banking trojan capable of stealing banking credentials and other financial information, while also gaining worm-like propagation features. Typically spread via weaponized Office documents, variants of QakBot have been able to deliver other malware payloads, log user keystrokes, and even create a backdoor to compromised machines.

password auditor

In a document analyzed by ReversingLabs, the malware not only tricked users into enabling macros with convincing lures, but also came with embedded files containing XLM macros that download and execute a malicious second-stage payload retrieved from a remote server. Another sample included a Base64-encoded payload in one of the sheets, which then attempted to download additional malware from a sketchy URL.

“Even though backward compatibility is very important, some things should have a life expectancy and, from a security perspective, it would probably be best if they were deprecated at some point in time,” the researchers noted. “Cost of maintaining 30 year old macros should be weighed against the security risks using such outdated technology brings.”

Source...


[the_ad_group id="27628"]

Microsoft Excel Power Query feature can be abused for malware distribution – ZDNet

/in

Microsoft Excel Power Query feature can be abused for malware distribution  ZDNet

Disabling DDE support in Microsoft Excel should prevent attacks, Microsoft says.

“malware news” – read more