Xll Exploit Cybersecurity researchers warn that multiple forms of malware are being stealthily delivered via Microsoft Excel XLL files
Excel XLL Exploit Builder These spam campaigns are designed to push malicious files that download malware on victims’ Windows devices.
We observed a new surge of Agent Tesla and Dridex malware samples dropped by malicious Excel add-ins (XLL files). We focus here on Agent
Xll Exploit In the campaigns we saw, emails with malicious XLL attachments or links were sent to users. Double-clicking the attachment opens Microsoft Excel
The use of XLL files is not as common as a maliciously crafted XLS file that contain macros or exploits, so it is a rarely observed evasion
Attackers distribute .XLL files via phishing emails concerning payment reminders, quotes and delivery statuses. When running the file, users are prompted to download an add-in file. Behind the scenes, the file rolls out malware on the user’s device.
HP Wolf Security found multiple malware types that create backdoors and allow access from outside the device’s network, including BazaLoader, Dridex and Agent Tesla. The researchers stumbled upon a deep web forum post advertising a ‘XLL Excel Dropper’. For $2,000, the advertiser delivers a software product that automatically converts malware links and Excel files into an exploitable add-in file.
HP Wolf Security advises organizations to reject all unknown emails with .XLL attachments via email gateways. The organization urges security teams to remain vigilant for malware distributed with legitimate functions such as Excel XLL.
This infection chain is similar to other XLL infections. The victim receives a malicious attachment, either an XLM or XLL file, inside an email. Once the attachment is downloaded and executed, Excel loads and executes the malicious code inside the .xll file, which then downloads the payload from a remote server. The payload is a new, similar variant