Talos explores the use of Excel XLL add-ins as a new infection vector after VBA macros are being blocked by Microsoft. The piece details how XLLs operate, lists notable actors and malware families using XLLs, and offers defensive guidance. #XLL #ExcelDNA #APT10 #TA410 #Donot #FIN7 #Dridex #FormBook
Keypoints
- Microsoft began blocking VBA macro execution by default in downloaded Office documents, shifting attacker focus away from macros toward alternative Office add-ins like XLLs.
- XLL files are a class of Excel add-ins (native DLLs and Excel-DNA-based) that can execute code when loaded by Excel, including via exported functions like xlAutoOpen.
- Office add-ins can be dropped in trusted locations or launched automatically, potentially bypassing user caution and enabling code execution.
- Mid-2017 marks the start of XLL-based backdoors in the wild, with usage increasing notably toward the end of 2021 by both advanced actors and commodity malware families.
- Notable actors and families using XLLs include APT10, TA410, Donot, FIN7, Dridex, FormBook, Warzone, and Ducktail, often using XLLs as downloaders or injectors.
- Common tactics involve loader-like XLLs that connect to attacker-controlled hosts to fetch additional payloads and, in some cases, perform process injection (e.g., into svchost.exe).
- Defensive guidance emphasizes endpoint protection, email security, network monitoring, and OSINT/osquery-based detection to block or identify XLL-based threats.
MITRE Techniques
- [T1566.001] Phishing: Spearphishing Attachment – “XLL files can be sent by email, and even with the usual anti-malware scanning measures, users may be able to open them not knowing that they may contain malicious code.” – “XLL files can be sent by email…”
- [T1204.002] User Execution: Malicious File – Users may open XLL files (e.g., invoices) and trigger execution; “XLL files can be sent by email… and may be opened unknowingly.”
- [T1574.001] DLL Search Order Hijacking – Attacker places a DLL in a trusted location; Word loads it via the registry-stipulated path: “place a DLL into a trusted location … Word will attempt to load the DLL.”
- [T1055.001] Process Injection – Anel Backdoor injector injects into svchost.exe: “functionality to inject the Backdoor Anel payload into the process space of svchost.exe.”
- [T1105] Ingress Tool Transfer – XLLs download additional components from attacker-controlled hosts: “connect to an attacker controlled host to download additional components.”
- [T1071.001] Web Protocols – Use of Discord as a hosting/download medium for payloads: “posted to and publicly accessible from Discord.”
- [T1059.001] PowerShell – FIN7 and others use PowerShell in their infection techniques alongside .NET assemblies: “…including .NET assemblies and PowerShell.”
Indicators of Compromise
- [Hash] 09271afc6f7ac254b4942a14559a0015fb4893d9bb478844ced2f78c0695929e – July 2017 sample used to launch calc.exe
- [Hash] fdfdfc8878f39424920d469bcd05060a6f7c95794aaa2422941913553d3dd01f – July 2017 Meterpreter reverse shell sample
- [Hash] a5d46912f0767ae30bc169a85c5bcb309d93c3802a2e32e04165fa25740afac1 – Anel Backdoor injector sample
- [Hash] d8286133d3d21b7e2b83a6c071147b8ef993e963ad6bd0f95d665869557a444 – Donot/*1.xll* DLL with two exports including xlAutoOpen
- [Hash] 7a234d1a2415834290a3a9c7274aadb7253dcfe24edb10b22f1a4a33fd027a08 – FIN7 Excel-DNA downloader (certificate-modified shim)
- [Hash] 55228eec31193a900e8216ab245391f1e40feb742d780caa91fdb1000d8434c2 – FormBook downloader sample
- [Hash] f2c5327b7bf88c65d0552d8664aca2ac542c8d37ae19582ba56690f1df420b53 – Dridex downloader
- [Hash] 90205826eb40d5d4b454c2cfde44abe49f6c3b471681c700e30b45eb5078eee2 – Warzone payload
- [Filename] “Details of Project Marketing Plan and Facebook Google Ads Results Report.xll” – Ducktail downloader sample
- [Filename] “Quickbooks – 40127.xll” – FIN7 Excel-DNA downloader sample
- [IP] 172.245.120.8 – URL used by Warzone payload download (example in campaign)
- [URL] hxxp://172.245.120.8/pdfreader.exe – Warzone payload URL referenced in the campaign
- [Domain] Discord – Discord-hosted payloads for XLLs (publicly accessible resources)
Read more: https://blog.talosintelligence.com/xlling-in-excel-malicious-add-ins/