November 1, 2023 at 10:49AM
Cybercriminals are increasingly using macro-enabled Excel add-in (XLL) files in malware attacks, according to HP Wolf Security. XLL files are now the seventh most commonly abused file extension, offering attackers greater capabilities than other options. Attackers have been experimenting with different file types since Visual Basic for Applications (VBA) macros were blocked by default, and XLL files have become a popular choice. Microsoft has also recently blocked XLL attachments from untrusted locations by default. Recent RAT campaigns have demonstrated how attackers can bypass security measures and use XLL files to distribute malware.
According to new research from HP Wolf Security, cybercriminals are increasingly using macro-enabled Excel add-in (XLL) files in malware attacks. In Q3 2023, .xlam files became the seventh most commonly abused file extension, rising from 42nd place in Q2. XLL attacks offer attackers greater capabilities compared to alternatives like VBA macros, which are now blocked by default by Microsoft. XLL files extend Excel’s functionality and have been used in the past by malware developers. Attackers are using XLL files as malware droppers directly inside documents, bypassing the need to download payloads from the web. This highlights how attackers continue to evolve their tactics to distribute malware through seemingly benign Microsoft Office documents.