Monday, July 15, 2024

Hackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Recently it has been observed that Morphisec Labs has witnessed a new wave of JSSLoader infections this year. JSSLoader activity has been tracked by Morphisec Labs since December 2020, and a comprehensive report has been released on the JSS loader used by the Russian hacker group FIN7 (aka Carbanak).

In addition to exfiltrating data, establishing persistence, fetching and loading additional payloads, and auto-updating, JSSLoader is also able to establish persistence for external payloads.

In short, the JSSLoader RAT (remote access trojan) is an extremely capable, but small RAT. And the new version of JSSLoader is delivered by attackers via.XLL files.

Infection chain & XLL Excel add-ins

Morphisec Labs threat analysts observed the new campaign that involves a stealthier version of JSSLoader. This infection chain also works similarly to other XLL infections, where the victim has an email with a malicious attachment, either an XLM or an XLL file attached to it.

Upon downloading and executing the attachment, Microsoft Excel executes the malicious code comprised within the “.xll” file, and after that from a remote server downloads the payload.

Excel’s XLL add-ins are commonly misused to import data into a worksheet or extend Excel’s functionality, though they are commonly used for legitimate purposes.

In the early stages of malware infection, an Excel add-in with an XLL extension is used to download JSSLoader to an infected computer. When the user executes the file, a popup appears since the file is not signed.

Excel calls the xlAutoOpen function whenever an XLL file is activated, so every XLL must implement and export this function. The malware executes the mw_download_and_execute function while loading itself, the “.XLL” file, into memory.

Sophisticated Obfuscation

To evade EDRs that consolidate detection information from the entire network, the threat actor regularly updates the User-Agent on the XLL files. 

With the new JSSLoader, the execution flow is the same, but it has been enhanced with string obfuscation, which encloses all the renaming variables and functions.

Here the RATs have split strings into substrings, after which they concatenate them at runtime to evade detection from string-based YARA rules used by defenders.

To evade the static threat scanners the threat actors leave a minimal footprint and reduce the chances of being detected by string decoding mechanism.

However, as a result of this new addition, and the use of XLL file delivery, it will be more complex and difficult for the next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect.

In short, a majority of NGAV and EDR solutions do not detect day zero.XLL files that hide the JSSLoaders, become next to impossible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Critical Cellopoint Secure Email Gateway Flaw Let Attackers Execute Arbitrary Code

A critical vulnerability has been discovered in the Cellopoint Secure Email Gateway, identified as...

Singapore Banks to Phase out OTPs for Bank Account Logins Within 3 Months

The Monetary Authority of Singapore (MAS) and The Association of Banks in Singapore (ABS)...

GuardZoo Android Malware Attacking military personnel via WhatsApp To Steal Sensitive Data

A Houthi-aligned group has been deploying Android surveillanceware called GuardZoo since October 2019 to...

ViperSoftX Weaponizing AutoIt & CLR For Stealthy PowerShell Execution

ViperSoftX is an advanced malware that has become more complicated since its recognition in...

Malicious NuGet Campaign Tricking Developers To Inject Malicious Code

Hackers often target NuGet as it's a popular package manager for .NET, which developers...

Akira Ransomware Attacking Airline Industry With Legitimate Tools

Airlines often become the target of hackers as they contain sensitive personal and financial...

DarkGate Malware Exploiting Excel Files And SMB File Shares

DarkGate, a Malware-as-a-Service (MaaS) platform, experienced a surge in activity since September 2023, employing...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles