After Microsoft implemented, starting in July 2022, the blocking of Visual Basic for Applications (VBA) macros by default for Office files downloaded from the Internet, many attackers have revised their tactics and are experimenting with alternative ways of infection to deploy malware.

However, charged Office documents delivered via targeted phishing and social engineering remain one of the widely used entry points for advanced actors targeting RCE.

Such files traditionally encourage victims to enable macros to view seemingly harmless content, but in fact - to activate the covert execution of malware in the background.

According to Cisco Talos, APT and owners of common malware have increasingly started using Excel add-in files (.XLL) as the initial invasion vector. 

Microsoft describes XLL files as a type of Dynamic Link Library (DLL) file that can only be opened in Excel.

They can be sent by email, and even with the usual malware scanning measures, users can open them without knowing that they contain malicious code.

The researchers found that the threat actors use a combination of their own add-ons written in C++, as well as add-ons developed using the Excel-DNA tool.

This technique has been widely used since mid-2021 and is still in use.

However, the first publicly documented malicious use of XLL occurred in 2017, when APT10 (aka Stone Panda) used this method to inject a backdoor into memory through a process.

In addition, similar steps were taken by DoNot Team, FIN7.

Abuse of the XLL file format was used to distribute strains of malware Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer and Warzone RAT, which may indicate a new trend in the modern threat landscape.

Trustwave resellers note that in addition to XLL Excel add-ons, attackers also use Microsoft Publisher macros. The method, in particular, is implemented in the November update of Ekipa RAT.

As in other Microsoft office products, Publisher files can contain macros that will be executed when opening or closing a file, which makes them a very interesting initial attack vector.

At the same time, Microsoft's restrictions preventing the execution of macros in files downloaded from the Internet do not apply to Publisher.

Ekipa RAT is a great example of how attackers are constantly improving their methods in order to stay ahead of the protection measures taken by developers.

The creators of this malware monitor changes in the security industry and revise their tactics accordingly.