Though Microsoft has disabled macros by default in the Office suite, researchers have found ways to get past the restriction.

Cisco Talos found that once the restriction was implemented, cybercriminals increasingly used one particular workaround.

The group asserts that XLL files (as opposed to XLS and XLSX) are being used more often by fraudsters to spread malware on compromised computers.

A rising trend

According to the study authors, XLL files are “a form of dynamic link library (DLL) file that can only be read by Excel.” To rephrase, XLL files allow Microsoft Excel documents to include features from other programmes.

While the weaponization of XLL files isn’t new (it’s been suggested that the first examples were discovered as early as2017), their usage has dropped significantly since Microsoft blocked the execution of macros in files downloaded from the internet. Since 2021, however, more malware families have been using the new method.

Vanja Svajcer, an outreach researcher for Cisco Talos, stated in the study that “for quite some time after [mid-2017], the utilisation of XLL files is mainly occasional and it does not rise considerably until the end of2021,” when common malware families like Dridex and Formbook began utilising it.

There is an increasing trend of “advanced persistent threat actors” and “commodity malware families” employing XLLs as attack vectors.

The Chinese threat actor APT10 (AKA Potassium) is one of the organisations that uses XLL files; they did so in order to spread the Anel Backdoor. Cicada (also known as Stone Panda or TA410) is another gang that has been linked to APT10, DoNot, and Fin7 as having “loose ties.”

Threat actors have apparently been utilising XLL files to spread malware like Warzone RAT and Ducktail. The prevalence of such dangers is predicted to rise in the future, and businesses are cautioned to prepare themselves.