{"id":91481,"date":"2023-02-21T17:25:22","date_gmt":"2023-02-21T11:55:22","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91481"},"modified":"2023-06-17T16:33:05","modified_gmt":"2023-06-17T11:03:05","slug":"your-office-document-is-at-risk-xll-a-new-attack-vector","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/your-office-document-is-at-risk-xll-a-new-attack-vector\/","title":{"rendered":"Your Office Document is at Risk – XLL, A New Attack Vector"},"content":{"rendered":"

 <\/p>\n

Microsoft Office documents are used worldwide by both corporates and home-users alike. \u00a0It\u2019s different office versions, whether licensed or unlicensed offers users an easy way to create and modify files. However, this software is also susceptible to cyberattacks<\/a>.<\/p>\n

Cybercriminals often take advantage of its vulnerability and use VBA (Visual Basic Application) macros as entry points to gain access to targeted systems and devices.<\/p>\n

Over the years, VBA macros has been a domineering threat for Office documents with its ability to spread malware. And, this is why Microsoft has finally decided to block VBA macros for files that have \u2018mark of the web\u2019 (MOTW) tag. \u00a0With this change, whenever users open a file downloaded from internet, \u00a0such as email attachments which have macros, the following message will be displayed:<\/p>\n

\"\"<\/p>\n

Fig-1.<\/b><\/em><\/strong>\u00a0Security Risk Warning<\/em><\/p>\n

As a result, attackers are now forced to think of alternative ways to reach their victims. And, here\u2019s where Microsoft Add-ins come into the picture.<\/p>\n

What is Microsoft add-ins?<\/strong><\/p>\n

An add-in is a software program that expands the capabilities of main programs. It is a term commonly used by Microsoft and other platforms which have additional functions that can be added to primary programs. Office add-ins are DLL files which have different extensions depending on the application. Microsoft Excel and Word have add-ins with the file extensions, \u2018.xll\u2019<\/em>\u00a0and \u2018.wll\u2019<\/em>\u00a0respectively.<\/p>\n

For Word, the ‘.wll’<\/em>\u00a0add-in needs to be placed in a specific location, specified by the registry value HKCU\\Software\\Microsoft\\Office\\16.0\\Word\\Security\\Trusted Locations, depending on the Office version. This will ensure that ‘.wll’<\/em>\u00a0add-in gets executed by word application.<\/p>\n

For Excel add-ins, whenever \u2018.xll\u2019<\/em>\u00a0file gets loaded, it will be opened by an excel application.<\/p>\n

Malicious XLL files <\/strong><\/p>\n

Many threat actors have started using XLL files as the initial vector. These files are mainly shared as an email attachment. It is associated with an icon similar to other excel supported file making it hard for end users to distinguish between the original excel file and an add-in file.<\/p>\n

\"\"<\/p>\n

Fig-2.<\/b><\/em><\/strong>\u00a0Malicious DLL with .XLL extension<\/em><\/p>\n

Upon opening such files, excel will display a warning about the malicious code in it.<\/p>\n

\"\"<\/p>\n

Fig-3.<\/b><\/em><\/strong>\u00a0MS office warning for Add-in<\/em><\/p>\n

It is possible for a \u201c.dll\u201d<\/em>\u00a0(dynamic-link library) file to be renamed as a \u201c.xll\u201d<\/em>\u00a0(Excel add-in) file and used for malicious purposes. The difference between a regular DLL and an XLL file is that XLLs can have certain exported functions which will be called by the Excel Add-In manager if triggered by the Excel application. When XLL file is launched by Excel, it will invoke the export functions based on the defined XLL interface like xlAutoOpen<\/em>\u00a0and xlAutoClose <\/em>similar to the methods Auto_Open<\/em>\u00a0and Auto_Close<\/em>\u00a0in VBA macros. These functions can be used to load malicious code and download malware payload.<\/p>\n

Technical Analysis:<\/strong><\/p>\n

It begins with\u00a0a\u00a0file named \u201cBankStatement-1674745402.xll\u201d, which is a 64 bit DLL\u00a0file. This file contains\u00a0one export function in it with a name \u201cxlAutoOpen\u201d as shown in fig 4.<\/p>\n

\"\"<\/p>\n

Fig-4.<\/b><\/em><\/strong>\u00a0DLL Export Function<\/em><\/p>\n

We have executed this DLL file explicitly using \u201crundll32.exe\u201d with the parameters,<\/p>\n

\u201cC:\\Windows\\SysWOW64\\rundll32.exe C:\\Users\\user\\Desktop\\9009859256\\BankStatement-1674745402.xll, xlAutoOpen\u201d.<\/p>\n

In fig 5, we can see process execution flow.<\/p>\n

\"\"<\/p>\n

Fig-5.<\/em><\/strong>\u00a0Process Flow of Execution<\/em><\/p>\n

The export function has a code (shown in fig 6) that uses the strcat function to generate different strings that are having link and commands for execution. The below function creates a link\u00a0\u201chttp[:]\/\/160[.]119[.]253[.]36\/filesetup_v17.3.4.zip<\/u>\u201d\u00a0and it tries to connect to this link to download the zip file and saved as a \u201cmypictures.zip<\/b><\/strong>\u201d.<\/p>\n

\"\"<\/p>\n

Fig-6.<\/em><\/strong>\u00a0Code for generation of Link and connection<\/em><\/p>\n

After this, PowerShell<\/a> is used to unzip this zip file into the %Temp% folder with the below-mentioned command,<\/p>\n

\u201cpowershell.exe Expand-Archive \u2013Path “C:\\Users\\user\\AppData\\Local\\Temp\\mypictures.zip” -DestinationPath “C:\\Users\\user\\AppData\\Local\\Temp\\””<\/strong><\/p>\n

 <\/p>\n

After unzipping we get \u201cfilesetup_v17.3.4<\/strong>\u201d named folder in the %Temp% folder which has the \u201cResources<\/strong>\u201d folder and \u201cfilesetup_v17.3.4.jpg<\/strong>\u201d file inside.<\/p>\n

\"\"<\/p>\n

Fig-7.<\/em><\/strong>\u00a0<\/em>filesetup_v17.3.4<\/em><\/strong>\u00a0folder into Temp<\/em><\/p>\n

Resources folder has multiple XML files containing dummy data. Attackers purposely put that data to make the analysis gruelling. The \u201cfilesetup_v17.3.4.jpg<\/strong>\u201d is not an image file format file. It is nothing but a 32-bit PE File written in .NET language and it looks like an Inno Setup Module installer.<\/p>\n

An Inno Setup is a free and popular installer framework used to create installers for Windows applications. It provides a scripting language that allows developers to customize the installation process, including the creation of shortcuts, registry entries, and other system configuration.<\/p>\n

\"\"<\/p>\n

Fig-8.<\/em><\/strong>\u00a0<\/em>\u201c<\/em>filesetup_v17.3.4.jpg<\/em><\/strong>\u201d<\/em>\u00a0file info in Die tool<\/em><\/p>\n

 <\/p>\n

This .NET file has 213 methods in it (shown in fig 9) which are highly obfuscated. We can de-obfuscate using\u00a0de4dot<\/strong>\u00a0obfuscators. To avoid reversing a .NET application, the author has implemented multiple methods to make it more difficult for any researcher to understand the code and logic of the application.<\/p>\n

\"\"<\/p>\n

Fig-9.<\/em><\/strong>\u00a0\u201c.NET Methods Count\u201d<\/em><\/p>\n

 <\/p>\n

This \u201cfilesetup_v17.3.4.jpg<\/strong>\u201d file executed using below mentioned command,<\/p>\n

\u201ccmd.exe \/c start C:\\Users\\user\\AppData\\Local\\Temp\\filesetup_v17.3.4\\filesetup_v17.3.4.jpg\u201d<\/strong><\/p>\n

This file uses a few anti-debugging techniques at the start of the execution which are mentioned as below,<\/p>\n

1. OllyDbg is a popular debugger tool that can be used to analyze and modify running programs, including .NET applications. One technique for detecting and preventing debugging using OllyDbg involves checking for the presence of a specific string that is associated with the debugger.<\/p>\n

\"\"<\/p>\n

Fig-10.<\/em><\/strong>\u00a0OLLDBG Tool Check<\/em><\/p>\n

\u00a02. Debugger registry check which is used to determine if a debugger is attached to the process and take appropriate action if one is found.<\/p>\n

\"\"<\/p>\n

Fig-11.<\/em><\/strong>\u00a0Debugger registry check<\/em><\/p>\n

\u00a03. IsDebuggerPresent function is used to detect if a debugger is attached to the process or not.<\/p>\n

4. CheckRemoteDebuggerPresent function is used to detect if a debugger is attached to the current process or a remote process or not.<\/p>\n

\"\"<\/p>\n

Fig-12. <\/em><\/strong>IsDebuggerPresent and CheckRemoteDebuggerPresent Functions<\/em><\/p>\n

Racoon Stealer V2 is a type of malware that is designed to steal sensitive information from infected systems. It is capable of stealing various types of files, including .ttf and .xml files, and storing them on the infected system. However, if the CNC (command and control) server is not operational, the malware may be unable to send the stolen information to the server for exfiltration.<\/p>\n

In this scenario, the stolen .ttf and .xml files may remain on the infected system until the CNC server becomes available. This can potentially expose sensitive information to the attacker, as they may still be able to access the stolen files on the compromised system.<\/p>\n

Quick Heal Protection:<\/strong><\/p>\n

Quick heal<\/a> security labs has been actively hunting for these types of files to ensure that all Quick Heal customers are protected with the following detections.<\/p>\n