How Attackers Use XLL Malware to Infect Systems

In recent months, we have seen a growth in malware campaigns using malicious Microsoft Excel add-in (XLL) files to infect systems. This technique is tracked in MITRE ATT&CK as T1137.006. The idea behind such add-ins is that they contain high-performance functions and can be called from an Excel worksheet via an application programming interface (API). This feature enables users to extend the functionality of Excel more powerfully compared to other scripting interfaces like Visual Basic for Applications (VBA) because it supports more capabilities, such as multithreading. However, attackers can also make use of these capabilities to achieve malicious objectives.

In the campaigns we saw, emails with malicious XLL attachments or links were sent to users. Double-clicking the attachment opens Microsoft Excel, which prompts the user to install and activate the add-in.