XLL Malware Distributed Through Email

Malware strains have been created and distributed in various forms and types. As such, the ASEC analysis team is actively monitoring and analyzing such changes to allow AhnLab products to detect them. This post will introduce XLL malware that was discovered being distributed last year.

XLL files are Microsoft Excel add-in files that operate with the extension .xll and can be opened by Excel. One thing to note is that the files are opened with MS Excel. This means users might mistake their forms as documents when they are actually DLL executables. The Excel files (.xlam and .xlsm) including the VBA macro that were previously introduced often are created with VBA, but the files discussed in this post are created with C programming language types. So while the form of the files is still DLL, the detailed configuration may change depending on the case that is compiled.

The XLL malware type was found to be distributed from July last year up till now. They are distributed through emails, and the malware that is ultimately executed varies, including info-stealer and ransomware.

Figure 1. Email with .xll attachments blocked (Outlook 2016)

Figure 2. Email with .xll attachments unblocked (Outlook 2016)

Figure 3. Email with .xll attachment (Outlook 2010)

As the latest version of Outlook blocks attachments of the file form mentioned in this post (see Figure 1), the block needs to be lifted to check the files (see Figure 2). Previous versions of Outlook allow you to check the attachments without prior adjustments (see Figure 3). Note that in a version that blocks the attachments, you have to manually change the registry as the block cannot be lifted in Outlook’s default settings. Microsoft is also recommending users rename the extensions of blocked attachments to use them.

Figure 4. File types blocked in Outlook

● Purchase Order 033.xll and Purchase Order 034.xll

The attachments ‘Purchase Order 033.xll’ and ‘Purchase Order 034.xll’ from Figures 1, 2, and 3 have the following features. First, as explained earlier, you can see the files’ form is DLL as shown in Figure 5. When the files are run (as .xll), they are opened with Microsoft Excel (see Figure 6). Clicking ‘Enable this add-in for this session only.’ will activate the behavior, while clicking ‘Leave this add-in disabled.’ will not activate the behavior. As such, you can click the right button to avoid the malware infection if you accidentally ran an unconfirmed XLL file.

Figure 5. Form of Purchase Order 034.xll

Figure 6. Purchase Order 034.xll executed

If you do not know the extension of the file, it might be difficult to know if the file is an XLL file by looking at its form since the executable has a DLL structure. However, XLL files have an Export function named ‘xlAutoOpen’. It is a callback function that needs to be configured in every XLL function. The function is required to run XLL.

As for ‘Purchase Order 033.xll’ and ‘Purchase Order 034.xll’, you can check the DLL that performs essential features if you extract the internal data with an XLL file compiled with an open-source program named ‘Excel-DNA.’ The DLL is created with .net.

Figure 7. xlAutoOpen Export function of XLL file

Figure 8. HFR04.dll (.net) internally extracted from Purchase Order 034.xll

Figure 9. Purchase Order 034.xll attempting to access the network

HFR04.dll inside Purchase Order 034.xll attempts to access the network (see Figure 9), downloading additional malware strains from the URL shown below. As it does not download any meaningful data from the URL, the team could not check the additional features. Yet looking at the XLL malware strains that were distributed since July last year shows that it will likely download ransomware and info-stealer types. The following samples show instances of such malware types being downloaded.

– hxxps://www.mcroller[.]com/express.exe

● Resume.xll

The file distributed with the name ‘Resume.xll’ was also compiled with Excel-DNA. Like the files introduced earlier, the internally extracted DLL is also a .net file. This file accesses the network to download additional malware. AhnLab’s internal record shows that ransomware was downloaded from the following URL.

– hxxp://104.161.34[.]171/library.exe

Figure 10. Resume.xll attempting to access the network

Figure 11. Carlos ransomware infection


The XLL file distributed with the name ‘MV SEAMELODY.xll’ acts as a downloader as well. This file also has its internal core DLL perform majors features. The following figure shows its code.

Figure 12. Code for DLL inside MV SEAMELODY.xll

– hxxp://103.89.30[.]10/intelpro/goa.exe

The file attempts to access the URL to download additional malware. The record shows that the file downloaded from the URL is Lokibot.

As you can see, now there is one more distribution method of Info-stealer and ransomware, the two malware types that take a significant portion of the recent malware distribution. Users should be cautious when they view attachments of suspicious emails. Furthermore, they must keep their anti-malware software updated to the latest version.

AhnLab V3 detects and blocks the malware strains using the aliases below.

[File Detection]

  • Downloader/Win.MalXll.R490565
  • Downloader/Win.MalXll.R466354
  • Trojan/Win.Agent.C5025449
  • Ransomware/Win.Carlos.C5025252

[IOC Info]

  • c181e7eaacbcfe010375a857460a76c6
  • 128ab502ed4f070abea44fd42b24f9d3
  • 1f24e9fa558c3394935c9b41ffad2034
  • 4685703aa9868c5f71da11422ccf30e8
  • d599aecaa32e0b0b41f4a688f85388c6
  • hxxps://www.mcroller[.]com/express.exe
  • hxxp://104.161.34[.]171/library.exe
  • hxxp://103.89.30[.]10/intelpro/goa.exe

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
1 Comment
Inline Feedbacks
View all comments

[…] Source link […]