This sneaky Microsoft Excel malware could put your organization at risk of attack

Someone using Excel on a Laptop.
(Image credit: Microsoft)

Although Microsoft Excel has long been the go-to program for distributing malware among professionals, a new campaign discovered by experts at HP Wolf Security has taken it a step further.

Based on an analysis of data from “the many millions of endpoints running HP Wolf Security”, the last 12 months has seen a 588% increase in the use of Excel add-ins (.xll) to distribute malware

The researchers are saying this technique is particularly dangerous because the victims only need one click to compromise their endpoints.

Clear availability

Adverts for an .xll dropper and malware builder have also started popping up on underground markets, the report further claims, which make it easy for low-level attackers to launch campaigns with devastating consequences.

To distribute the malware, some attackers resorted to a particularly sneaky method - hijacking ongoing email threads. After compromising an email account, these won’t simply send out a new email to the contact list - they’ll just share a malicious Excel file in an already ongoing email thread, significantly improving the chances of success. 

Italians under attack

Furthermore, Excel files were also used in the recent distribution of the Ursnif banking Trojan among Italian-speaking users. 

In this campaign, the attackers took on the identity of the Italian courier service BRT. What’s more - new campaigns have been spotted, spreading Emotet through Excel, rather than JavaScript or Word. 

To make sure their premises stay secure, IT teams should refrain from relying exclusively on detection and antivirus solutions, warns Alex Holland, Senior Malware Analyst, HP Wolf Security threat research team, HP Inc.

“Attackers are continually innovating to find new techniques to evade detection, so it’s vital that enterprises plan and adjust their defenses based on the threat landscape and the business needs of their users. Threat actors have invested in techniques such as email thread hijacking, making it harder than ever for users to tell friend from foe.”

  • You might also want to check out our list of the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.