February 9, 2022
Cyberattacks are more prevalent than ever. Unfortunately, it is not a question of if an Atlanta business will have to deal with one, but when. Hackers continue to look for new ways to take advantage of organizations and often accomplish that through unsuspecting and unprepared users. While this most commonly occurs through email phishing or some other form of deception, it is now also taking place within business software as well. More specifically, there has been an alarming increase in the past few months in the malware found within Excel add-ins. These useful additions provide professionals with the additional data management capabilities necessary to completed advanced analysis. Unfortunately, they also carry risks. In fact, many may not know how to recognize this new method of delivering malware or understand how easy it is to unknowingly install a virus. To help clients, prospects, and others, Wilson Lewis has provided a summary of the key details below.
“The threat of ransomware attacks, data breaches, or major IT outages worry companies even more than business and supply chain disruptions, natural disasters, or the COVID-19 pandemic, all of which have heavily affected firms in the past year.”
This Forbes article from January 2022 reported that cyberattacks can gain access to 97 percent of company networks. Cyberattacks were at an all-time high in 2021, with education and research and healthcare topping the list of most targeted sectors.
Unfortunately, cyberattacks via Excel aren’t new. Existing Excel-based cyberattacks already include VBA and Excel4 macros, and Dynamic Data Exchange (DDE). VBA macro malware, once considered to be “more or less extinct,” used the added functionality of document macros in a Visual Basic Application (VBA) environment to deliver viruses. The virus was hidden in attachments and zip files, which were often named to entice people to open them.
Macros have been an easy tool for hackers because Excel files can be sent using phishing emails without detection. Why? The macros are embedded and lightweight, so many organizations’ normal cybersecurity protocols do not detect the threat. Legacy macros, or Excel4, have been used to bypass updated malware protection scans.
DDE attacks deliver malicious content directly into the spreadsheet – and then control it using Excel’s Power Query feature. DDE malware can be hard to detect.
Excel add-ins, filenames with the .xll extension, can accomplish several goals. According to Microsoft, Excel add-ins can:
Popular Excel add-ins are Power Pivot, Supermetrics, Power Query, a whole suite of accounting-related add-ins, and more.
Anyone with coding knowledge and familiarity with Excel can create a legitimate add-in. There are more than 2,000 of them in the market and verified add-ins can be found easily within an open spreadsheet. They’re not typically sent through email.
A recent report found that cyberattacks via the .xll add-ins jumped almost 600 percent quarter to quarter at the end of 2021. These cyberattacks function similarly to other types of malware. They’re delivered via a phishing email most often related to a fake invoice, quote, payment reference, or shipping documents or orders.
Once the user clicks on an infected file, Excel opens and then prompts the user to install the malicious file. Users at that point don’t know they’re dealing with a virus, because the Excel document has been spoofed to look legitimate.
When Excel is opened, the fraudulent add-in automatically runs at startup. It’s easy to overlook because a quick pop-up box appears that only requires one click to activate. Then, once the add-in is enabled, the virus gains access to the computer. These are more dangerous than other types of cyberattacks because they don’t require the user to take any other steps, like disabling macros.
There are seven types of viruses that can be installed using the .xll filename. They are:
This malware can create a secret back door entry point to the user’s compromised computer, which puts the network and other data at risk. Hackers can then watch computer activity, gain unauthorized access to restricted sites and files, steal information and/or money, and install other viruses.
Now there is another type of new Excel threat to look out for, a trojan malware campaign called QakBot. QakBot attacks are delivered via phishing emails containing an archived zip file of Microsoft Excel Binary Workbook (XLSB).
Any type of attack puts a company, its employees, and its assets at risk. At best, it’s a few hours or days of downtime; at worst, it’s a totally compromised system, data breach, and/or ransom. Firewalls, patches, and other standard cybersecurity protections won’t be enough to protect against Excel add-in malware.
It is critical for organizations to train staff on known and potential cyber threats, how to recognize them, and what to do if suspicious activity is detected. Employee education can often be the best defense against phishing and malware attacks.
Contact Us
The increasing complexity of attacks through Excel means users need to pay special attention when working within in the program, especially when it comes to macros. If you have questions about the information outlined above or need assistance with an accounting, tax, or assurance need, Wilson Lewis can help. For additional information call us at 770-476-1004 or click here to contact us. We look forward to speaking with you soon.