2021-12-01

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

Level: 
  |  Source: 
BleepingComputer
Cybersecurity
Share:

Microsoft Excel (XLL) Leads to RedLine Info-Stealer

Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, "an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an 'xlAutoOpen' function executed by Microsoft Excel when the add-in is opened." While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.exe. Once downloaded an autorun registry entry will launch and enable persistence for the malware.

     

Get trending threats published weekly by the Anvilogic team.

Sign Up Now