In recent months, the HP Wolf Security team has recorded an increase in the activity of Trojans distributed in XLL files. To bypass the blocking of such downloads introduced by Microsoft, attackers send their emails from compromised accounts.
In the third quarter of 2023, 80% of malware viruses, according to HP Wolf, were distributed using email. For their delivery, the macro-enabled Excel plugin files (.xlam) were again used; such threats in the list of extensions popular with cybercriminals rose to the 7th line-from the 46th, which they occupied at the end of the second quarter.
One of these email campaigns was identified in July; it was aimed at seeding the Parallax RAT Trojan. Fake emails were sent from real but hacked accounts, which made it possible to bypass reputation filters and the default blocking of untrusted XLLs introduced by Microsoft.
Malicious attachments were disguised as an invoice scan. When opening a file, Excel automatically starts the xlAutoOpen function; in this case, this entails working out malicious code.
The latter first loads various system libraries and provides execution of their functions to make static analysis more difficult. After that, two threads are started (XLL supports multithreading).
The first creates in C:\ProgramData a folder named GUID and writes a file to it lum.exe. A new key is created in the registry. After that, a malicious one is created lum.exe starts for execution.
The second stream is designed to reinforce the illusion of legitimacy. It writes a masked invoice file to disk (actually a template taken from a legitimate site) and opens it in Excel using ShellExecuteW.
The malware is unpacked in memory and loaded using the process hollowing method. To ensure a permanent presence in the system, the Trojan is registered for autorun.
The main purpose of Parallax RAT is to provide remote access to the infected system. It can also steal credentials, upload files, and upload data to an external server.
Attackers have previously used XLL to deliver malware — for example, operators Dridex, Agent Tesla, infostealers Formbook, RedLine and Raccoon. At the beginning of the year, Microsoft turned on blocking XLL downloads from untrusted sources by default to prevent abuse, and vector lost popularity in criminal circles — as it turned out, for only six months.
In the third quarter of 2023, 80% of malware viruses, according to HP Wolf, were distributed using email. For their delivery, the macro-enabled Excel plugin files (.xlam) were again used; such threats in the list of extensions popular with cybercriminals rose to the 7th line-from the 46th, which they occupied at the end of the second quarter.
One of these email campaigns was identified in July; it was aimed at seeding the Parallax RAT Trojan. Fake emails were sent from real but hacked accounts, which made it possible to bypass reputation filters and the default blocking of untrusted XLLs introduced by Microsoft.
Malicious attachments were disguised as an invoice scan. When opening a file, Excel automatically starts the xlAutoOpen function; in this case, this entails working out malicious code.
The latter first loads various system libraries and provides execution of their functions to make static analysis more difficult. After that, two threads are started (XLL supports multithreading).
The first creates in C:\ProgramData a folder named GUID and writes a file to it lum.exe. A new key is created in the registry. After that, a malicious one is created lum.exe starts for execution.
The second stream is designed to reinforce the illusion of legitimacy. It writes a masked invoice file to disk (actually a template taken from a legitimate site) and opens it in Excel using ShellExecuteW.
The malware is unpacked in memory and loaded using the process hollowing method. To ensure a permanent presence in the system, the Trojan is registered for autorun.
The main purpose of Parallax RAT is to provide remote access to the infected system. It can also steal credentials, upload files, and upload data to an external server.
Attackers have previously used XLL to deliver malware — for example, operators Dridex, Agent Tesla, infostealers Formbook, RedLine and Raccoon. At the beginning of the year, Microsoft turned on blocking XLL downloads from untrusted sources by default to prevent abuse, and vector lost popularity in criminal circles — as it turned out, for only six months.
