In mid-2022, the ASEC analysis team shared that malware with the XLL file format (file extension: .xll) was being distributed via email. The XLL file has a DLL form of a PE (Portable Executable) file but is executed with Microsoft Excel. Since then, this type of malware had not been distributed actively, but for the first time in a long while, we found that it was being distributed with the filename, ‘Resume.xll‘.
- Post from May 20th, 2022: XLL Malware Distributed Through Email
- Post from Nov 21st, 2022: LockBit Ransomware Being Mass-distributed With Similar Filenames
As mentioned in the previous blog posts, XLL files are Excel add-ins, and they can be executed through MS Excel. When ‘Resume.xll’ is opened, it is executed through Excel as shown below, and a security notice appears, allowing the user to select whether or not to enable the add-in. Clicking the Enable button activates the malicious features intended by the file.
Figure 1. Upon running Resume.xll
While this file is executed via Excel, it has the structural format of a DLL file and includes xlAutoOpen in the Export function. xlAutoOpen is a required callback function that must be actualized in all XLL files and is thus included by default. ‘Resume.xll’ is compiled with an open-source software named ‘Excel-DNA’ and contains a malicious DLL in .net format which performs the actual malicious behaviors and is compressed in the Resource area.
Figure 2. Files structure of Resume.xll
Figure 3. Resource area of Resume.xll
The filename of the malicious .net extracted from ‘Resume.xll’ is ‘ZFD06.dll’, which is the same as the name displayed in the Resource area in Figure 3. This filename was also found in the ‘__MAIN__.dna’ XML file which is found upon unpacking ‘Excel-DNA’.
Figure 4. Unpacked Resume.xll
Figure 5. Details of the ‘__MAIN__.dna’ XML file
The extracted file ZFD06.dll is the actual malicious file that carries out the malicious behaviors intended by the threat actor when ‘Resume.xll’ is opened. It is likely that this malicious .net DLL was crafted into an XLL form using the ‘Excel-DNA’ framework before being distributed.
Figure 6. Extracted ZFD06.dll .net file code
The purpose of this DLL is to download additional malware through PowerShell. Though it is currently unavailable for download, we identified that LockBit 2.0 ransomware was downloaded in the past.
Figure 7. Downloading additional files (using PowerShell)
- (LockBit 2.0 download URL) hxxps://transfer[.]sh/get/671Cix/123.exe
- (LockBit 2.0 save path) C:\Users\Public\yggi.exe
A hash showed that LockBit 2.0 was downloaded, and we also discovered that this ransomware was also being distributed by itself with the filename, ‘$Resume_221122(Experience details are included Thank you).exe‘. As seen in the blog post links shared above, we announced the distribution of LockBit 2.0 and 3.0 with filenames relating to ‘resumes.’ It seems that both the XLL file which acts as the parent downloader and the executable distributed alone are being actively distributed in various ways in disguise of ‘resumes.’
Recent malware is developed into various types to bypass detection and other features that inhibit its distribution. Users must refrain from opening attachments in emails or attachments sent through messenger programs from unknown senders and keep V3 updated in real-time. AhnLab’s anti-malware product, V3, detects and blocks the malware above using the aliases below.
[File Detection]
- Downloader/Win.Agent.C5313333 (2022.11.25.00)
- Ransomware/Win.LockBit.C5312148 (2022.11.23.02)
[IOC Info]
- 9011870a33ddb12f8934f9061de6f42c
- fe5101b50e92a923d74cc6f0f4225539
- hxxps://transfer[.]sh/get/671Cix/123.exe
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information