[Nulled] » Information security » After Microsoft implemented, starting in July 2022,
January 16 2023

After Microsoft implemented, starting in July 2022,

web3 16-01-2023, 12:01 Information security 173

After Microsoft implemented, starting in July 2022, the blocking of Visual Basic for Applications (VBA) macros by default for Office files downloaded from the Internet, many attackers have revised their tactics and are experimenting with alternative ways of infection to deploy malware.

However, charged Office documents delivered via targeted phishing and social engineering remain one of the widely used entry points for advanced actors targeting RCE.

Such files traditionally encourage victims to enable macros to view seemingly harmless content, but in fact - to activate the covert execution of malware in the background.

According to Cisco Talos, APT and owners of common malware have increasingly started using Excel add-in files (.XLL) as the initial invasion vector. 

Microsoft describes XLL files as a type of Dynamic Link Library (DLL) file that can only be opened in Excel.

They can be sent by email, and even with the usual malware scanning measures, users can open them without knowing that they contain malicious code.

The researchers found that the threat actors use a combination of their own add-ons written in C++, as well as add-ons developed using the Excel-DNA tool.

This technique has been widely used since mid-2021 and is still in use.

However, the first publicly documented malicious use of XLL occurred in 2017, when APT10 (aka Stone Panda) used this method to inject a backdoor into memory through a process.

In addition, similar steps were taken by DoNot Team, FIN7.

Abuse of the XLL file format was used to distribute strains of malware Agent Tesla, Arkei, Buer, Dridex, Ducktail, Ekipa RAT, FormBook, IcedID, Vidar Stealer and Warzone RAT, which may indicate a new trend in the modern threat landscape.

Trustwave resellers note that in addition to XLL Excel add-ons, attackers also use Microsoft Publisher macros. The method, in particular, is implemented in the November update of Ekipa RAT.

As in other Microsoft office products, Publisher files can contain macros that will be executed when opening or closing a file, which makes them a very interesting initial attack vector.

At the same time, Microsoft's restrictions preventing the execution of macros in files downloaded from the Internet do not apply to Publisher.

Ekipa RAT is a great example of how attackers are constantly improving their methods in order to stay ahead of the protection measures taken by developers.

The creators of this malware monitor changes in the security industry and revise their tactics accordingly.

Information

Visitors who are in the group Guests they can't download files.
Log in to the site under your login and password or if you are a new user go through the process registrations on the website.

Comments:

This publication has no comments yet. You can be the first!

Information the publication:

  • Author of the publication: web3
  • Date of publication: 16 January 2023 12:01
  • Publication category(s): Information security
  • Number of views of the publication: 173
  • Number of comments to the publication: 0

Related News

16 January 2023
Information security
Group-IB uncovered Dark

Group-IB uncovered Dark Pink APT, involved in attacks on government agencies and military facilities in the

Read more
15 January 2023
Information security
🔓 A free decryptor has

🔓 A free decryptor has appeared for the MegaCortex ransomware Bitdefender has released a tool for decrypting files

Read more
13 March 2022
Information security
Digital epidemics

Digital epidemics The first computer viruses appeared back in the 1970s. They were conceived as harmless and more

Read more
16 January 2023
Information security»,Protection and hacking»,DDOS
Let's go back to Zerobot

Let's go back to Zerobot, which was originally reported by Fortinet two weeks ago. The Internet of Things (IoT)

Read more
16 January 2023
Information security
Symantec researchers

Symantec researchers report details about the activities of a cybercrime group they track as Bluebottle, revealing

Read more

Information

Users of 🆅🅸🆂🅸🆃🅾🆁 are not allowed to comment this publication.

Site Search

Site Menu


☑ Websites Scripts

Calendar

«    December 2024    »
MonTueWedThuFriSatSun
 1
2345678
9101112131415
16171819202122
23242526272829
3031 

Advertisement

Survey on the website

Evaluate the work of the site
 

Statistics

  • +37 Total articles 6747
  • +17 Comments 4132
  • +29 Users : 5932