Wednesday, November 6, 2024
HomeCyber AttackHackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Hackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Published on

Malware protection

Recently it has been observed that Morphisec Labs has witnessed a new wave of JSSLoader infections this year. JSSLoader activity has been tracked by Morphisec Labs since December 2020, and a comprehensive report has been released on the JSS loader used by the Russian hacker group FIN7 (aka Carbanak).

In addition to exfiltrating data, establishing persistence, fetching and loading additional payloads, and auto-updating, JSSLoader is also able to establish persistence for external payloads.

In short, the JSSLoader RAT (remote access trojan) is an extremely capable, but small RAT. And the new version of JSSLoader is delivered by attackers via.XLL files.

- Advertisement - SIEM as a Service

Infection chain & XLL Excel add-ins

Morphisec Labs threat analysts observed the new campaign that involves a stealthier version of JSSLoader. This infection chain also works similarly to other XLL infections, where the victim has an email with a malicious attachment, either an XLM or an XLL file attached to it.

Upon downloading and executing the attachment, Microsoft Excel executes the malicious code comprised within the “.xll” file, and after that from a remote server downloads the payload.

Excel’s XLL add-ins are commonly misused to import data into a worksheet or extend Excel’s functionality, though they are commonly used for legitimate purposes.

In the early stages of malware infection, an Excel add-in with an XLL extension is used to download JSSLoader to an infected computer. When the user executes the file, a popup appears since the file is not signed.

Excel calls the xlAutoOpen function whenever an XLL file is activated, so every XLL must implement and export this function. The malware executes the mw_download_and_execute function while loading itself, the “.XLL” file, into memory.

Sophisticated Obfuscation

To evade EDRs that consolidate detection information from the entire network, the threat actor regularly updates the User-Agent on the XLL files. 

With the new JSSLoader, the execution flow is the same, but it has been enhanced with string obfuscation, which encloses all the renaming variables and functions.

Here the RATs have split strings into substrings, after which they concatenate them at runtime to evade detection from string-based YARA rules used by defenders.

To evade the static threat scanners the threat actors leave a minimal footprint and reduce the chances of being detected by string decoding mechanism.

However, as a result of this new addition, and the use of XLL file delivery, it will be more complex and difficult for the next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect.

In short, a majority of NGAV and EDR solutions do not detect day zero.XLL files that hide the JSSLoaders, become next to impossible.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Azure API Management Vulnerabilities Let Attackers Escalate Privileges

Recent discoveries by Binary Security have revealed critical vulnerabilities in Azure API Management (APIM) that could...

Google Patches High-Severity Vulnerabilities in Chrome

Google has released a new update for its Chrome browser, addressing two high-severity vulnerabilities....

ClickFix Exploits GMeet & Zoom Pages to Deliver Sophisticated Malware

A new tactic, "ClickFix," has emerged. It exploits fake Google Meet and Zoom pages...

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

APT36 Hackers Attacking Windows Deevices With ElizaRAT

APT36, a sophisticated threat actor, has been actively targeting Indian entities with advanced malware...

Evasive Panda Attacking Cloud Services To Steal Data Using New Toolkit

The Evasive Panda group deployed a new C# framework named CloudScout to target a...

Massive Midnight Blizzard Phishing Attack Using Weaponized RDP Files

Researchers warn of ongoing spear-phishing attacks by Russian threat actor Midnight Blizzard targeting individuals...