In recent months, we have seen a growth in malware campaigns using malicious Microsoft Excel add-in (XLL) files to infect systems. This technique is tracked in MITRE ATT&CK as T1137.006. The idea behind such add-ins is that they contain high-performance functions and can be called from an Excel worksheet via an application programming interface (API). This feature enables users to extend the functionality of Excel more powerfully compared to other scripting interfaces like Visual Basic for Applications (VBA) because it supports more capabilities, such as multithreading. However, attackers can also make use of these capabilities to achieve malicious objectives.
In the campaigns we saw, emails with malicious XLL attachments or links were sent to users. Double-clicking the attachment opens Microsoft Excel, which prompts the user to install and activate the add-in.
Figure 1 – Prompt shown to user when opening an XLL file.
Attackers usually place their code in the xlAutoOpen function, which is executed immediately when the add-in is activated. What makes this technique dangerous is that only one click is required to run the malware, unlike VBA macros which require the user to disable Microsoft Office’s Protected View and enable macro content. However, XLL files are portable executables that follow the format of dynamic link libraries (DLLs) which many email gateways already block. We recommend organizations consider the following mitigations:
- Configure your email gateway to block inbound emails containing XLL attachments.
- Configure Microsoft Excel to only permit add-ins signed by trusted publishers.
- Configure Microsoft Excel to disable proprietary add-ins entirely.
XLL Malware for Sale
The rise in XLL attacks led us to search underground forums to gauge the popularity of tooling and services using this file format. We encountered adverts from one threat actor repeatedly, who claimed to be selling a builder that creates XLL droppers.
Figure 2 – Forum post advertising an XLL Excel dropper.
The user specifies an executable file or a link to one and adds a decoy document. An XLL file is generated as output, which can then be used in attacks.
Figure 3 – XLL Excel dropper user interface.
Excel-DNA Generated Add-Ins
Most XLL samples we analyzed have the same structure. Essentially XLL files are DLLs containing an exported function called xlAutoOpen. The most common type of malicious XLL files we see are those generated using a legitimate software project called Excel-DNA. Looking inside an XLL malware sample that follows this structure, you can see it contains several large resources (Figure 4).
Figure 4 – Resources inside an XLL generated by Excel-DNA.
This includes Excel-DNA project components as well as the add-in, which in this case is a malware dropper. You can identify the file that contains the Excel add-in code by looking at the resource names or the XML definition file that is also stored in the resource section.
Figure 5 – Excel-DNA XML definition.
In this sample, the add-in containing the malicious code is developed in .NET and is located in the MODDNA resource. To inspect the code, you first need to save this resource to disk and decompress it using the Lempel–Ziv–Markov chain algorithm (LZMA) algorithm. Since the add-in is a .NET application, we can decompile it to retrieve its source code for further analysis. Figure 6 shows the start function of an XLL add-in we analyzed which acts as a malware downloader.
Figure 6 – Malware .NET malware downloader extracted from an XLL file.
XLL files created using the Excel-DNA project can also be unpacked automatically using a script