Post-Macro Office Malware
Nicholas Carroll
IT and Cybersecurity Professional, Tech Educator, Former CISO and CTO, Current Cyber Threat Intelligence Researcher
Microsoft is moving to disable macros by default in Office as a response to the ongoing threat of macro-based malware. This could be great news for organizations fighting the scourge of ransomware.
But we can't expect malware developers and providers not to adapt to these changes, and we may already be seeing the rise of the next Office-based malware vector as a response. Multiple security research teams have seen a sharp rise in XLL and similar malware over calendar Q4 2021 and into 2022.
This has been known as a potential attack vector for many years, and it would occasionally be utilized by advanced malware developers, but it's use was far less common as macros worked so well for the majority of malware writers. XLL files, and related files such as WLL, are executable DLLs for Office that focus on expanding the default capabilities of applications such as Excel or Word through add-ins. These files can have their file type set to standard .xls or .doc to make them seem more convincing to end users, but interacting with them will cause the Office application to attempt to load in whatever executable code has been provided, malicious or not. Generally speaking, users should still get a security notice pop-up by default before the code executes. This may be a good training item to remind users not to continue interacting with an Office file that prompts them with a security warning that looks similar to...
XLL and similar files have seen recent use by Fin7, AgentTesla, Redline Stealer, and other malware families. In fact, XLL droppers are for sale on multiple dark web marketplaces, so adoption of this tactic will most likely spread even further.
We can see a demonstration of XLL malware in action thanks to this malware seller's YouTube channel (unless this video gets taken down).
So What Now?
If you want to protect your organization from this trend, there's a few things to consider.
1. User Education
Continue to focus on training users on the dangers of Office and related files received via email or downloaded from third-parties, especially documents that ask for any kind of permissions or generate any security notice like the one shown earlier in this article. Users should know what to do when presented with these situations in order to have the best outcome.
2. Technical Controls
Make sure your technical controls are in place and up to the task of defending against these concerns. Mail and web filters should be configured to quarantine and/or alert on Office files that could be executable such as XLL, WLL, PPTM, containing DDE, etc. Even better if your tool can sandbox and check incoming attachments for malicious code before delivery to the end user. You may also want to restrict execution of these file types via Group Policy, AppLocker, Windows 10 Attack Surface Reduction, or similar tool set.
3. Monitor for Indicators of Attack (or Block)
Configure the appropriate monitoring and/or blocking rules in your security tools to match the appropriate adversary tactics being abused in these attacks. MITRE ATT&CK has a great starting point for network defenders in T1137.006...
Besides reviewing details on T1137.006, check for the matching rules that may exist already for your monitoring/security appliances. For example, there are some Sigma rules that could help inform monitoring in your environment and make a great point for network defenders to review and expand upon.
Sigma Rule Example 1: Microsoft Office Add-In Loading
Sigma Rule Example 2: Code Executed Via Office Add-in XLL File
Sigma Rule Example 3: Suspicious Rundll32 Activity
With the appropriate steps applied now, your organization will be well prepared to handle these threats as attackers continue to adapt and expand upon these growing techniques.