Excel XLL addins abused for malware installation

Sicherheit (Pexels, allgemeine Nutzung)[German]Here is another security topic, dealing with attacks via Excel XLL addins ein. This attack method has been known since July 2021 and is used by malware groups. I just came across a case where this approach was used to install the RedLine malware that stole passwords.


What are XLL files?

Files with XLL extension are Excel add-ins that provide the ability to use third-party tools and functions in Microsoft Excel. You can see the whole thing as a DLL file, but it can only be used in Excel. XLL files can be opened in Excel via File -> Options as Add-In. Since they are binary files, malicious functions can also be included there, which can then be executed via the Excel integration. Excel asks whether it is allowed to execute this add-in file. If the user agrees, the XLL file or the code in it can do everything that a DLL file can do.

XLL files abused in malware attacks

The Excel XLL add-in approach allows to provide great functionality, but it can also be abused as a malware sling. On July 8, 2021, Brad Duncan of the Internet Storm Center warned of this danger in the post Hancitor tries XLL as initial malware file. A victim received a link in a malware SPAM campaign that allowed him to download a malicious XLL file. The Hancitor malware, which has been active since 2013, attempted to download the Cobald Strike malware via the XLL file (see the following image).  

Hancitor Infection
Hancitor infection scheme

The only remedy for administrators is to block XLL attachments in mails and blocks the loading of XLL files in Office. This article outlines how to prevent XLL file loading in Office 97 by policy or FileOpenBlock registry entry. This Microsoft document says that XLL files are blocked automatically as attachment in Microsoft Outlook.

New campaign installs Redline Trojan

Currently, Bleeping Computer colleagues report about a new campaign in which Redline password stealing malware is spread via XLL files. Specifically, the cyber criminals send spam emails via website contact forms and discussion forums. The goal is to trick victims into downloading and installing the Excel XLL files. In the process, RedLine malware is distributed to steal passwords. Here are some approaches to get the XLL file to the victims:

Sell us advertising space on your site from $ 500
You can read our terms on the link below

Thanks for using our app. Your payment has been approved.
You can see your payment report on the link below

In all approaches, a link to download an XLL file is provided. The user is then supposed to download the file and have it executed (installed) in Excel. The colleagues have roughly outlined this, in the current case a WGet downloader is then started which downloads the JavaBridge32.exe file, saves it in the user profile and enters it as AutoRun in the registry. This causes Redline to load every time the user logs in.


RedLine itself is first a Trojan that steals cookies, usernames, passwords and credit card details stored in web browsers, as well as FTP credentials and files from an infected device. However, Redline is capable of downloading and installing other malware. In addition, the malware can take screenshots of the active Windows screen.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Office, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *