There was a six-fold increase in cyber attackers using malicious Microsoft Excel add-in (.xll) files to infect systems in the last quarter, according to HP’s latest global Wolf Security Threat Insights Report.
The Wolf Security research team said it had identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.
“There was a huge six-fold increase (+588%) in attackers using malicious Microsoft Excel add-in (.xll) files to infect systems compared to last quarter – a technique found to be particularly dangerous as it only requires one click to run the malware,” according to the report. “The team also found adverts for .xll dropper and malware builder kits on underground markets, which make it easier for inexperienced attackers to launch campaigns.
“Additionally, a recent QakBot spam campaign used Excel files to trick targets, using compromised email accounts to hijack email threads and reply with an attached malicious Excel (.xlsb) file. After being delivered to systems, QakBot injects itself into legitimate Windows processes to evade detection. Malicious Excel (.xls) files were also used to spread the Ursnif banking Trojan to Italian-speaking businesses and public sector organizations through a malicious spam campaign, with attackers posing as Italian courier service BRT. New campaigns spreading Emotet malware are now using Excel instead of JavaScript or Word files too.”
Other key findings in the report include:
13% of email malware isolated had bypassed at least one email gateway scanner.
Threats used 136 different file extensions in their attempts to infect organizations.
77% of malware detected was delivered via email, while web downloads were responsible for 13%.
The most common attachments used to deliver malware were documents (29%), archives (28%), executables (21%), spreadsheets (20%).
The most common phishing lures were related to the New Year or business transactions such as “Order”, “2021/2022”, “Payment”, “Purchase”, “Request” and “Invoice”.
Alex Holland, senior malware analyst, HP Wolf Security threat research team, HP Inc, said: “Abusing legitimate features in software to hide from detection tools is a common tactic for attackers, as is using uncommon file types that may be allowed past email gateways. Security teams need to ensure they are not relying on detection alone and that they are keeping up with the latest threats and updating their defenses accordingly. For example, based on the spike in malicious .xll sightings we are seeing, I’d urge network administrators to configure email gateways to block incoming .xll attachments, only permit add-ins signed by trusted partners or disable Excel add-ins entirely.
“Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe.”
The findings are based on data from millions of endpoints running HP Wolf Security. HP Wolf Security tracks malware by opening risky tasks in isolated, micro Virtual Machines (micro-VMs) to understand and capture the full infection chain, helping to mitigate threats that have slipped past other security tools.
https://threatresearch.ext.hp.com/hp-wolf-security-threat-insights-report-q4-2021/
