Cisco Talos analysts say that hackers are now using Excel add-ins to infiltrate victims’ systems and networks.

After Microsoft began blocking VBA macros in Office documents downloaded from the Internet (marked as Mark Of The Web), attackers had to rethink their attack chains: for example, now hackers are increasingly using Excel add-in files (.XLL) as an initial compromise vector.

According to experts, Office documents distributed using phishing emails and other social engineering remain one of the most popular attack vectors for attackers. Such documents traditionally suggest that victims enable macros to view supposedly harmless content, but in fact activate hidden malware execution in the background.

To address these abuses, earlier this year, Microsoft began blocking VBA macros in Office documents downloaded from the Internet. Although the company admitted that they received negative feedback from users because of this and were even forced to temporarily reverse this decision, as a result, the blocking of VBA macros was still continued.

We also wrote that Hackers use the .NET library for creating malicious Excel files, and also that Weak Block Cipher in Microsoft Office 365 Leads to Message Content Disclosure.

Despite the fact that the blocking only applies to the latest versions of Access, Excel, PowerPoint, Visio, and Word, attackers have begun experimenting with alternative ways to infect and deploy malware. One such “innovation” is the use of XLL files, which Microsoft describes as “a kind of DLL file that can only be opened in Excel,” the researchers report.

Although Excel warns about the potential dangers of XLLs, these warnings are usually overlooked by users.

According to experts, hackers combine add-ons written in C++ with add-ons developed using the free tool Excel-DNA. And if the first such experiments of hackers were noticed a few years ago, then in 2021-2022 such attacks began to develop much more actively.

The researchers write that the Chinese hack groups APT10 and TA410 (and they started back in 2017), the Russian-speaking group FIN7, which began using add-on files in their campaigns last summer, famous Dridex malware loader and FormBook loader; as well as other major malware families, including AgentTesla, Ransomware Stop, Vidar, Buer Loader, Nanocore, IceID, Arkei, AsyncRat, BazarLoader, and so on are already abusing XLL.

The post Hackers Use Excel Add-Ins as Initial Penetration Vector appeared first on Gridinsoft Blog.

This time, bugs were fixed in products such as Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows kernel, Windows SMB, and so on.

44 vulnerabilities were associated with remote code execution, 32 with privilege escalation, 14 with information disclosure, 12 provoked denial of service, 8 allowed bypassing various security functions, and another 7 were associated with spoofing.

In addition, this month the company fixed nine zero-day vulnerabilities at once, four of which have already been used for attacks. The following 0-day issues have been fixed, but hackers haven’t used them yet:

• CVE-2021-34492: Certificate forgery vulnerability in Windows;
• CVE-2021-34523: Privilege escalation vulnerability in Microsoft Exchange Server;
• CVE-2021-34473: Remote Code Execution Vulnerability in Microsoft Exchange Server;
• CVE-2021-33779: Windows ADFS Bypass Vulnerability;
• CVE-2021-33781: Active Directory bypass vulnerability.

As for the bugs that hackers have already adopted, one of them is the PrintNightmare problem (CVE-2021-34527), which I described in detail earlier.

By the way, I also reported that Microsoft declares that Printnightmare patch works correctly.

And three other vulnerabilities under attack that were not previously known are:

• CVE-2021-33771: Windows Kernel Privilege Elevation Vulnerability;
• CVE-2021-34448: scripting engine vulnerability leading to information corruption in memory;
• CVE-2021-31979: A privilege escalation vulnerability in the Windows kernel.

Along with Microsoft, other companies have released updates to their products this week.

Patches released:

• Adobe;
• Apache Tomcat;
• Cisco;
• developers of SUSE, Oracle Linux and Red Hat;
• SAP;
• Schneider Electric;
• Siemens;
• VMware.

Let me remind you that a month ago Microsoft specialists also tried Six 0-day vulnerabilities fixed in Windows, including a commercial exploit issue.

The post Microsoft patches 117 vulnerabilities, including 9 zero-day vulnerabilities appeared first on Gridinsoft Blog.

Typically, this library is used by application developers, for example, to add features such as “Export to Excel” or “Save as Spreadsheet”. The library can be used to create files in a wide variety of formats and supports Excel 2019.

“Hackers seem to be using EPPlus to create spreadsheets in Office Open XML (OOXML) format. The files produced by Epic Manchego are missing some of the VBA code typical of Excel documents compiled in official Microsoft Office”, – experts write.

It turned out that some antivirus products and email scanners consider this part of the VBA code as one of the possible signs of a suspicious Excel file, because, as a rule, this is a storage for malicious code . Therefore, Epic Manchego special files are much less likely to be detected by security solutions (compared to other malicious Excel files).

Of course, this does not mean that Epic Manchego files are completely harmless. Although the files worked correctly, like any other Excel document, experts explain that cybercriminals store malware in them using a custom VBA code format, which is also password protected so that security systems and information security specialists cannot analyze the content.

Analysts point out that using EPPlus not only helped, but also hurt Epic Manchego. The fact is that experts were able to detect numerous past grouping operations by simply looking for unusual Excel files. As a result, more than 200 files related to Epic Manchego were discovered, the first of which dates back to June 22 of this year.

As you might guess, such malicious documents contain malware’s macro script. For example, if the victim opens the Excel file and allows execution of the script, the macros will download and install malware on their machine.
Payloads in this case are classic infostealer Trojans such as Azorult, AgentTesla, Formbook, Matiex and njRat, which steal passwords from browsers, mail and FTP clients and send them to Epic Machengo servers.

It is worth noting that, in general, NVISO Labs experts were not surprised that the hack group was using EPPlus for attacks. They write:

“We have been familiar with this .NET library for a long time, as we have been using it for several years to create malicious documents for our red team and pentesters”

Not only Excel users are under attack, I recently wrote that hackers use in attacks malicious plugin for 3Ds Max, and even hackers force users to solve CAPTCHA.

The post Hackers use .NET library for creating malicious Excel files appeared first on Gridinsoft Blog.