Threat Research

XLL Malware Distributed Through Email – ASEC BLOG

Securonix

XLL malware is distributed via email attachments that masquerade as Excel add-ins (.xll) and run when opened, delivering various payloads including ransomware and info-stealers. The campaign uses DLL-based XLLs (some via Excel-DNA) and downloads additional malware from remote URLs, with several notable samples such as Purchase Order 033.xll and 034.xll. Hashtags: #XLL #ExcelDNA #CarlosRansomware #Lokibot #ResumeXLL #Mcroller

Keypoints

  • XLL files are Excel add-ins that operate as DLLs and can be opened within Excel, potentially hiding malicious code as user mistakes them for documents.
  • The XLL samples discussed were distributed from July of the previous year through email, delivering various payloads such as info-stealers and ransomware.
  • Some XLLs are compiled with C and use methods like Excel-DNA to reveal internal DLL data, including an Export function named xlAutoOpen used to run the payload.
  • Purchase Order 033.xll and 034.xll illustrate the technique, where enabling the add-in activates the malware behavior and the 034.xll variant downloads additional malware from the network.
  • In several samples, the XLLs download further malware, including ransomware (e.g., Carlos) and info-stealers, from specified URLs (e.g., mcroller.com, IPs).
  • Other XLLs, such as Resume.xll and MV SEAMELODY.xll, act as downloaders, with Resume.xll fetching ransomware and MV SEAMELODY.xll ultimately pulling in Lokibot.
  • Outlook’s default blocking of blocked attachment types requires manual workarounds (registry changes or renaming extensions) to inspect or enable the attachments.

MITRE Techniques

  • [T1566.001] Phishing – “They are distributed through emails”. Quote: ‘The attachments ‘Purchase Order 033.xll’ and ‘Purchase Order 034.xll’…’
  • [T1204] User Execution – “Clicking ‘Enable this add-in for this session only.’ will activate the behavior.”
  • [T1036] Masquerading – “The form is DLL as shown in Figure 5” (XLL files masquerading as Excel add-ins)
  • [T1105] Ingress Tool Transfer – “downloading additional malware strains from the URL shown below” or similar network fetches
  • [T1112] Modify Registry – “the block cannot be lifted in Outlook’s default settings” and manual registry changes to unblock attachments

Indicators of Compromise

  • [File Name] XLL attachments – Purchase Order 033.xll, Purchase Order 034.xll, Resume.xll, MV SEAMELODY.xll
  • [Hash] c181e7eaacbcfe010375a857460a76c6, 128ab502ed4f070abea44fd42b24f9d3
  • [URL] hxxps://www.mcroller[.]com/express.exe, hxxp://104.161.34[.]171/library.exe, hxxp://103.89.30[.]10/intelpro/goa.exe
  • [IP] 104.161.34.171, 103.89.30.10
  • [Domain] mcroller.com (as observed in URL) – referenced as download source

Read more: https://asec.ahnlab.com/en/34756/