Hackers Use XLL Files to Deliver Obfuscated Version of JSSLoader

Recently it has been observed that Morphisec Labs has witnessed a new wave of JSSLoader infections this year. JSSLoader activity has been tracked by Morphisec Labs since December 2020, and a comprehensive report has been released on the JSS loader used by the Russian hacker group FIN7 (aka Carbanak).

In addition to exfiltrating data, establishing persistence, fetching and loading additional payloads, and auto-updating, JSSLoader is also able to establish persistence for external payloads.

In short, the JSSLoader RAT (remote access trojan) is an extremely capable, but small RAT. And the new version of JSSLoader is delivered by attackers via.XLL files.

Infection chain & XLL Excel add-ins

Morphisec Labs threat analysts observed the new campaign that involves a stealthier version of JSSLoader. This infection chain also works similarly to other XLL infections, where the victim has an email with a malicious attachment, either an XLM or an XLL file attached to it.

Upon downloading and executing the attachment, Microsoft Excel executes the malicious code comprised within the “.xll” file, and after that from a remote server downloads the payload.

Excel’s XLL add-ins are commonly misused to import data into a worksheet or extend Excel’s functionality, though they are commonly used for legitimate purposes.

In the early stages of malware infection, an Excel add-in with an XLL extension is used to download JSSLoader to an infected computer. When the user executes the file, a popup appears since the file is not signed.

Excel calls the xlAutoOpen function whenever an XLL file is activated, so every XLL must implement and export this function. The malware executes the mw_download_and_execute function while loading itself, the “.XLL” file, into memory.

Sophisticated Obfuscation

To evade EDRs that consolidate detection information from the entire network, the threat actor regularly updates the User-Agent on the XLL files. 

With the new JSSLoader, the execution flow is the same, but it has been enhanced with string obfuscation, which encloses all the renaming variables and functions.

Here the RATs have split strings into substrings, after which they concatenate them at runtime to evade detection from string-based YARA rules used by defenders.

To evade the static threat scanners the threat actors leave a minimal footprint and reduce the chances of being detected by string decoding mechanism.

However, as a result of this new addition, and the use of XLL file delivery, it will be more complex and difficult for the next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions to detect.

In short, a majority of NGAV and EDR solutions do not detect day zero.XLL files that hide the JSSLoaders, become next to impossible.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

5 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

6 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

9 hours ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

10 hours ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

11 hours ago

New StealC V2 Upgrade Targets Microsoft Installer Packages and PowerShell Scripts

StealC, a notorious information stealer and malware downloader first sold in January 2023, has rolled…

12 hours ago