XLL Files Increasingly Getting Abused by Attackers

Use of malicious add-ins

• To automatically launch code, attackers use Office documents implementing one or more event handling functions; AutoClose, AutoOpen, Document_Close, and Document_Open for Word. For Excel,  Workbook_Close, Worbook_Open, and Auto_Open, Auto_Close.
• These functions are called when a document is opened or closed or an Office application fired an event handled by one of the functions.
• Further, the malware’s auto-start functions allow the launch of malicious macro code with minimal user interaction.

Evolution of XLL attacks

• The first XLL payload was found on the VirusTotal platform in July 2017, which launched calc.exe. This could be considered as a usual testing method or a POC.
• The second sample, submitted in the same month, launched a Meterpreter reverse shell. That may have been used for malicious intent or penetration testing. After that, XLL files appeared occasionally.
• There was no significant count of XLL-based attacks until the end of 2021 when malware families such as FormBook and Dridex started using it.

Threat actors using the XLL files

• FIN7, an infamous cybercrime threat actor, started using XLL files as attachments in email campaigns early this year. When these files are executed, they work as a downloader for the next stage of infection.
• In the middle of this year, the Emotet botnet was observed delivering XLL files in the ZIP archives, allowing the dropping and execution of the Emotet payload.
• The DoNot team targeting Kashmiri NPOs and Pakistani government officials used an XLL file loaded with two exports, the first one pdteong, and the second xlAutoOpen, which was a native XLL-based functional payload.
• Another threat actor, dubbed TA410, known for targeting U.S. utilities and diplomatic organizations, used a toolkit that contained an XLL stage spotted in 2020.
• In December 2017, a file using XLL to inject malware exclusive to APT10 named Anel was spotted.

Conclusion