XLL files in Excel increasingly used for malicious activity

Significantly more advanced persistent threat groups and malware families have adopted XLL files in Excel to serve as an initial vector following the adoption of the technique by the Dridex and Formbook commodity malware families last year, reports The Register. China-linked threat operation APT10, also known as Potassium, Chessmaster or menuPass, has leveraged XLLs to facilitate Anel Backdoor malware injection, a Cisco Talos report showed. XLLs have also been used by the Stone Panda operation, also known as TA410 or Cicada, as well as the DoNot APT group and Russian cybercrime operation FIN7. With most users disregarding warnings by Excel prior to loading the files, more XLL-based malware attacks are expected in the coming year. "As more and more users adopt new versions of Microsoft Office, it is likely that threat actor will turn away from VBA-based malicious documents to other formats such as XLLs or rely on exploiting newly discovered vulnerabilities to launch malicious code in the process space of Office applications," wrote Cisco Talos researcher Vanja Svajcer.