Dec 5, 2021
0 0

Malicious Excel XLL add-ins push RedLine password-stealing malware

Written by

FBI: Cuba ransomware breached 49 US critical infrastructure orgs
Researchers discover 14 new data-stealing web browser attacks
Microsoft Edge now bashes Google Chrome when you download it
Russian internet watchdog announces ban of six more VPN products
Malicious Excel XLL add-ins push RedLine password-stealing malware
Convincing Microsoft phishing uses fake Office 365 spam alerts
Learn how to develop Android apps with 3 in-depth courses for $13
New Twitter phishing campaign targets verified accounts
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
Phishing malware
Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.
RedLine is an information-stealing Trojan that steals cookies, user names and passwords, and credit cards stored in web browsers, as well as FTP credentials and files from an infected device.
In addition to stealing data, RedLine can execute commands, download and run further malware, and create screenshots of the active Windows screen.
All of this data is collected and sent back to the attackers to be sold on criminal marketplaces or used for other malicious and fraudulent activity.
Over the past two weeks, BleepingComputer’s contact forms have been spammed numerous times with different phishing lures, including fake advertising requests, holiday gift guides, and website promotions.
After researching the lures, BleepingComputer has discovered this to be a widespread campaign targeting many websites using public forums or article comment systems.
In some phishing lures seen by BleepingComputer, the threat actors have created fake websites to host the malicious Excel XLL files used to install the malware.
For example, one campaign used the following spam message and a fake website that imitated the legitimate Plutio site.
Everything you need to run your business.  Manage projects, create dazzling proposals  and get paid faster. Black Friday! All plans are FREE, no credit card required. 
Other spam messages pretend to be payment reports, requests for advertising, or gift guides with links to malicious XLL files hosted on Google Drive, as shown below.
Of particular interest is a lure targeting web site owners with requests to advertise on their site and asking them to review the terms of the offer. This leads to a malicious ‘terms.xll‘ file that installs the malware.
Sell us advertising space on your site from $ 500 
You can read our terms on the link below[.]com/file/d/xxx/view?usp=sharing
Other lures seen by BleepingComputer this week are:
Thanks for using our app. Your payment has been approved. You can see your payment report on the link below https://xxx[.]link/report.xll
Google just revealed the 100 hottest gifts of 2021 
I won $10.000. Want it too? Read and accept the terms[.]com/file/d/xxx/view?usp=sharing
These spam campaigns are designed to push malicious Excel XLL files that download and install the RedLine malware on victims’ Windows devices.
An XLL file is an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks.
XLL files are simply a DLL file that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.
While tests conducted by BleepingComputer and security researcher TheAnalyst, with who we discussed the attack, are not correctly loading the XLL file, they may work in other versions of Microsoft Excel.
However, manually executing the DLL with the regsvr32.exe command or the ‘rundll32 name.xll, xlAutoOpen‘ command will extract the wget.exe program to the %UserProfile% folder and use it to download the RedLine binary from a remote site.
This malicious binary is saved as %UserProfile%JavaBridge32.exe [VirusTotal] and then executed.
A Registry autorun entry will also be created to automatically launch the RedLine information-stealer every time victims log into Windows. 
Once the malware is executed, it will search for valuable data to steal, including credentials and credit cards stored in the Chrome, Edge, Firefox, Brave, and Opera browsers.
If you have become a victim of this campaign, you should assume that your stored passwords are compromised and immediately change them. Additionally, if you have credit cards stored in your browsers, you should contact your credit card company to alert them of the incident.
As XLL files are executables, threat actors can use them to perform a variety of malicious behavior on a device. Therefore, you must never open one unless it comes from a trusted source.
These files are not generally sent as attachments but instead installed through another program or via your Windows admin.
Therefore, if you receive an email or other message distributing these types of files, simply delete the message and report it as spam.
Snake malware biting hard on 50 apps for only $25
Massive campaign uses YouTube to push password-stealing malware
Malicious Android app steals Malaysian bank credentials, MFA codes
APT37 targets journalists with Chinotto multi-platform malware
Windows Finger command abused by phishing to download malware
Not a member yet? Register Now
FBI: Cuba ransomware breached 49 US critical infrastructure orgs
Microsoft reverses Windows 11’s annoying default browser setting changes
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


Article Categories:
Cybersecurity News

Comments are closed.