Cybercriminals are increasingly using XLLs as an infection vector in their attacks. Attackers are using several methods, such as event handling functions in Excel files to launch XLL files automatically, as well as the exploitation of XLL file vulnerabilities to target their victims.
Use of malicious add-ins
According to the Cisco Talos researchers, attackers send malicious XLL files via emails, that go undetected by typical anti-malware scanning tactics. Thus increasing the chances of users opening these malicious files.
To automatically launch code, attackers use Office documents implementing one or more event handling functions; AutoClose, AutoOpen, Document_Close, and Document_Open for Word. For Excel, Workbook_Close, Worbook_Open, and Auto_Open, Auto_Close.
These functions are called when a document is opened or closed or an Office application fired an event handled by one of the functions.
Further, the malware’s auto-start functions allow the launch of malicious macro code with minimal user interaction.
Evolution of XLL attacks
According to the report, XLL-based attacks have existed since at least 2017.
The first XLL payload was found on the VirusTotal platform in July 2017, which launched calc.exe. This could be considered as a usual testing method or a POC.
The second sample, submitted in the same month, launched a Meterpreter reverse shell. That may have been used for malicious intent or penetration testing. After that, XLL files appeared occasionally.
There was no significant count of XLL-based attacks until the end of 2021 when malware families such as FormBook and Dridex started using it.
Threat actors using the XLL files
The report further provides detailed information on the use of XLL-based attacks by multiple threat groups to infect computers, as early as 2017.
FIN7, an infamous cybercrime threat actor, started using XLL files as attachments in email campaigns early this year. When these files are executed, they work as a downloader for the next stage of infection.
In the middle of this year, the Emotet botnet was observed delivering XLL files in the ZIP archives, allowing the dropping and execution of the Emotet payload.
The DoNot team targeting Kashmiri NPOs and Pakistani government officials used an XLL file loaded with two exports, the first one pdteong, and the second xlAutoOpen, which was a native XLL-based functional payload.
Another threat actor, dubbed TA410, known for targeting U.S. utilities and diplomatic organizations, used a toolkit that contained an XLL stage spotted in 2020.
In December 2017, a file using XLL to inject malware exclusive to APT10 named Anel was spotted.
Additional threats spotted using the XLL files include Dridex, FormBook, AgentTesla, Lokibot, and Ducktail.
Conclusion
At present, the use of XLL files is not widespread in corporate environments, however, the threat still looms. Therefore, it is suggested that businesses that do not require it should block any attempt to execute XLL files in their environment. If an organization allows XLL files, it must carefully monitor endpoints and servers to spot suspicious activity.