American computer hardware company, HP Inc., has revealed how cybercriminals use malicious Microsoft Excel plug-ins to target vulnerable individuals online to perpetrate cybercrime.
The tech giant in a statement on Friday said that the insights report provides analysis of real world cybersecurity attacks by isolating threats that have evaded detection tools and made it to user endpoints.
It said that the HP Wolf Security threat research team identified a wave of attacks utilizing Excel add-in files to spread malware, helping attackers to gain access to targets, and exposing businesses and individuals to data theft and destructive ransomware attacks.
“In our research, there was a huge six-fold increase (+588%) in attackers using malicious Microsoft Excel add-in (.xll) files to infect systems compared to last quarter, a technique found to be particularly dangerous as it only requires one click to run the malware.
“The team also found adverts for Microsoft Excel add-in dropper and malware builder kits on underground markets, which make it easier for inexperienced attackers to launch campaigns,” it said.
According to the report, a recent QakBot. (a prevalent information-stealing malware) spam campaign used excel files to trick targets, using compromised email accounts to hijack email threads and reply with an attached malicious excel (.xlsb) file.
It said that after being delivered to systems, qakbot injects itself into legitimate Windows processes to evade detection.
HP noted that Malicious Excel (.xls) files were also used to spread the Ursnif banking Trojan (Virus) to Italian-speaking businesses and public sector organisations through a malicious spam campaign, with attackers posing as Italian courier service BRT.
“Other notable threats isolated by the HP Wolf Security threat insight team include, the return of TA505.
“HP identified a MirrorBlast email phishing campaign sharing many tactics, techniques, and procedures (TTPs) with TA505, a financially motivated threat group known for massive malware spam campaigns and monetizing access to infected systems using ransomware.
“The attack targeted organisations with the FlawedGrace Remote Access Trojan (RAT),” it said.
HP said others were fake gaming platform infecting victims with RedLine, a spoofed discord installer website tricking visitors into downloading the RedLine infostealer and stealing their credentials.