HP found a huge quarter-to-quarter increase (+588%) in attackers using malicious Excel add-in (.xll) files to infect systems.
This technique is particularly dangerous. Because running the malware requires just one click.
The HP team also found ads for .xll dropper and malware builder kits on underground markets. These kits make it easier for inexperienced attackers to launch campaigns.
HP also identified a recent QakBot spam campaign that involved using Excel files to trick targets. The campaign sent compromised email accounts to hijack email threads and reply with an attached malicious Excel (.xlsb) file. After being delivered to systems, QakBot injects itself into legitimate Windows processes to evade detection.
HP has also seen malicious Excel (.xls) files being used to spread the Ursnif banking Trojan to Italian-speaking businesses and public-sector organizations through a malicious spam campaign. In a creepy move, the attackers posed as employees of an Italian courier service, BRT.