Threat Research

New JSSLoader Trojan Delivered Through XLL Files

Securonix

Morphisec Labs reports a new JSSLoader variant delivered via unsigned XLL Excel add-ins, leveraging Excel’s add-in loading to fetch a payload. The campaign highlights evasion tactics (obfuscation and varying user-agents) and notes FIN7 as the historical threat actor behind JSSLoader. #JSSLoader #FIN7 #XLL

Keypoints

  • New JSSLoader variant is delivered through .XLL Excel add-ins, expanding beyond prior delivery methods.
  • Infection chain starts with a malicious attachment (XLM or XLL) in email, leading Excel to load and execute the malicious code inside the XLL.
  • first-stage XLL exports xlAutoOpen; Excel activates it, triggering subsequent malicious activity.
  • The malware downloads the payload from a remote server using a dedicated download/execution routine and uses a different User-Agent across samples to hinder detection.
  • Downloaded payload is written to a temporary file (DNA prefix) and executed as a new process.
  • A new obfuscation layer renames functions/variables and employs string obfuscation (strings split and concatenated at runtime) to evade static defenses and YARA rules.
  • Morphisec emphasizes that many NGAV/EDR solutions may miss day-zero XLL-based attacks, but Moving Target Defense (MTD) can detect and stop such unknown/zero-day threats.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – The victim receives a malicious attachment, either an XLM or XLL file, inside an email. “The victim receives a malicious attachment, either an XLM or XLL file, inside an email.”
  • [T1137] Office Application Startup – Each XLL file must implement and export the xlAutoOpen function, and Excel calls it when activated. “Each XLL file must implement and export the xlAutoOpen function. This function is called by Excel whenever an XLL is activated.”
  • [T1105] Ingress Tool Transfer – The malware downloads the payload from a remote server using a download-and-execute flow. “This function is responsible for downloading the payload from a remote server.”
  • [T1027] Obfuscated/Decoded Files and Information – The new variant uses string obfuscation and renamed identifiers to hinder analysis. “This variant introduces a new layer of string obfuscation, renaming all functions and variables names.”

Indicators of Compromise

  • [File Hashes] XLL files – d42dfbeba20624a190cf903d28ac5ef5e6ff0f5c120e0f8e14909fec30871134, a8da877ebc4bdefbbe1b5454c448880f36ffad46d6d50083d586eee2da5a31ab, and 4 more hashes
  • [File Hashes] JSSLoader payload – 48053356188dd419c6212e8adb1d5156460339f07838f2c00357cfd1b4a05278, da480b19c68c2dee819f7b06dbfdba0637fea2c165f3190c2a4994570c3dae2a, and 6 more hashes
  • [Domains] Domains – physiciansofficenews[.]com, thechinastyle[.]com, and divorceradio[.]com

Read more: https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files