Although Microsoft Excel has long been the go-to program for distributing malware among professionals, a new campaign discovered by experts at HP Wolf Security has taken it a step further. Based on an analysis of data from “the many millions of endpoints running HP Wolf Security”, the last 12 months has seen a 588% increase in the use of Excel add-ins (.xll) to distribute malware.
The researchers are saying this technique is particularly dangerous because the victims only need one click to compromise their endpoints.
Adverts for an .xll dropper and malware builder have also started popping up on underground markets, the report further claims, which make it easy for low-level attackers to launch campaigns with devastating consequences.
To distribute the malware, some attackers resorted to a particularly sneaky method – hijacking ongoing email threads. After compromising an email account, these won’t simply send out a new email to the contact list – they’ll just share a malicious Excel file in an already ongoing email thread, significantly improving the chances of success.
Italians under attack
Furthermore, Excel files were also used in the recent distribution of the Ursnif banking Trojan among Italian-speaking users.
To make sure their premises stay secure, IT teams should refrain from relying exclusively on detection and antivirus solutions, warns Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.
“Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe.”