Friday, March 29, 2024

Hackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Recently it has been observed that Morphisec Labs has witnessed a new wave of JSSLoader infections this year. JSSLoader activity has been tracked by Morphisec Labs since December 2020, and a comprehensive report has been released on the JSS loader used by the Russian hacker group FIN7 (aka Carbanak).

In addition to exfiltrating data, establishing persistence, fetching and loading additional payloads, and auto-updating, JSSLoader is also able to establish persistence for external payloads.

In short, the JSSLoader RAT (remote access trojan) is an extremely capable, but small RAT. And the new version of JSSLoader is delivered by attackers via.XLL files.

Infection chain & XLL Excel add-ins

Morphisec Labs threat analysts observed the new campaign that involves a stealthier version of JSSLoader. This infection chain also works similarly to other XLL infections, where the victim has an email with a malicious attachment, either an XLM or an XLL file attached to it.

Upon downloading and executing the attachment, Microsoft Excel executes the malicious code comprised within the “.xll” file, and after that from a remote server downloads the payload.

Excel’s XLL add-ins are commonly misused to import data into a worksheet or extend Excel’s functionality, though they are commonly used for legitimate purposes.

In the early stages of malware infection, an Excel add-in with an XLL extension is used to download JSSLoader to an infected computer. When the user executes the file, a popup appears since the file is not signed.

Excel calls the xlAutoOpen function whenever an XLL file is activated, so every XLL must implement and export this function. The malware executes the mw_download_and_execute function while loading itself, the “.XLL” file, into memory.

Sophisticated Obfuscation

To evade EDRs that consolidate detection information from the entire network, the threat actor regularly updates the User-Agent on the XLL files. 

With the new JSSLoader, the execution flow is the same, but it has been enhanced with string obfuscation, which encloses all the renaming variables and functions.

Here the RATs have split strings into substrings, after which they concatenate them at runtime to evade detection from string-based YARA rules used by defenders.

To evade the static threat scanners the threat actors leave a minimal footprint and reduce the chances of being detected by string decoding mechanism.

However, as a result of this new addition, and the use of XLL file delivery, it will be more complex and difficult for the next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect.

In short, a majority of NGAV and EDR solutions do not detect day zero.XLL files that hide the JSSLoaders, become next to impossible.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Beware Of Weaponized Air Force invitation PDF Targeting Indian Defense And Energy Sectors

EclecticIQ cybersecurity researchers have uncovered a cyberespionage operation dubbed "Operation FlightNight" targeting Indian government...

WarzoneRAT Returns Post FBI Seizure: Utilizing LNK & HTA File

The notorious WarzoneRAT malware has made a comeback, despite the FBI's recent efforts to...

Google Revealed Kernel Address Sanitizer To Harden Android Firmware And Beyond

Android devices are popular among hackers due to the platform’s extensive acceptance and open-source...

Compromised SaaS Supply Chain Apps: 97% of Organizations at Risk of Cyber Attacks

Businesses increasingly rely on Software as a Service (SaaS) applications to drive efficiency, innovation,...

IT and security Leaders Feel Ill-Equipped to Handle Emerging Threats: New Survey

A comprehensive survey conducted by Keeper Security, in partnership with TrendCandy Research, has shed...

How to Analyse .NET Malware? – Reverse Engineering Snake Keylogger

Utilizing sandbox analysis for behavioral, network, and process examination provides a foundation for reverse...

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles