The bad guys have found a new – and quite successful – way to access your computer systems and networks with malware. This time they are using malicious Excel add-ins to get in.
Here’s how it works:
Users receive legitimate-looking emails with .XLL attachments or links. If the recipient double-clicks the attachment or link, they are then prompted to install and activate the add-in. The malicious code most often lives in the xlAutoOpen function, so it immediately runs once the user clicks on it. This method of attach is especially effective and dangerous because it only requires one click to activate the malware. Once clicked, the infected computer contacts a server that provides further instructions. There are various results that can occur, depending on where the .XLL file was generated. For example, some computers are immediately infected with the malware such as RedLine or Ficker Stealer which allows the bad guys to steal sensitive data from your computer, including login information, FTP client information, passwords, credit card information and more.
Here’s what you need to do to protect yourself:
- If possible, configure your email program to block inbound emails with .XLL attachments. This may already be a setting since .XLL files are not the type of file typically sent by email.
- If you can’t disable all add-ins because you depend on this for other business software the integrated with Office, make sure your Excel settings only allow add-ins from trusted sources.
- Set Excel to disable all proprietary add-ins.
How we are addressing this:
We recently rolled out SentinelOne to all our clients, which has several detection layers which in most cases will recognize the malware and warn the user to beware of the file. If it is still downloaded, it can roll back the device to its pre-infected state.
To learn more, you can access the report from HP here.