Macro 4.0 is Dead Long Live The XLL

Arda Büyükkaya
8 min readJan 24, 2022

--

A quick summary about this Blog post

Often times Threat Actors use Windows Office Document as a Malware Spreading tool by abusing one of the key features of Office Document. One of them called Office Macro. An attacker can construct a VBA script Macro that makes Windows API calls to execute Shellcode or utilize certain commands to steal information from victim machine.

EDR and AV products developed to mitigate this issue, they are now equipped better at stopping malware that uses Office Macros than four years ago So you may think to yourself, is it enough to stop attacks that rely on the abuse of Office Documents ? The answer is NO !

Threat Actors used more interesting ways to execute Malicious Payloads. Use of Macro 4.0 is one of such examples.

What is Macro 4.0

Excel 4.0 macro, also known as XLM 4.0 macro, is a benign record-and-playback feature of Microsoft Excel that was introduced back in 1992. This piece of programming code is a solution to automating repetitive tasks in Excel, but unfortunately, also a covert backdoor to malware delivery and abused so often by Threat Actors like Emotet.

(Blog post has been published by VMware)

From an EDR-AV perspective, it is harder to identify the execution of Excel Macro 4.0 at runtime than an execution of a normal VBA Office macro that uses a good old Auto_Open() function . Even so Microsoft has officially disabled Excel 4.0 macro support, thread actors and defenders still play a game of Ping Pong.

(Awesome post from Catalin Cimpanu)

And now, 2022, what is the latest and possibly most abused feature of Microsoft Office Document? Ladies and gentlemen, let me introduce you to XLL.

Malicious XLL file hosted on Google Drive

Technical Analysis of XLL Malwares

I’m currently working as a Malware Analyst but In my career I also worked as a Red Teamer. I would like to combine these two fields in this post to give more information about how this attack is acquired, how we can protect ourselves against this kind of attack and how I can test this on my own Network.

Abusing Excel XLL files

XLL files are Excel add-in files. They’re DLL files specifically designed to be run by Microsoft Excel. Think of an XLL file as an Excel DLL that includes an ‘xlAutoOpen’ function executed by Microsoft Excel when the add-in is opened.

Threat Actor can start Phishing campaigns designed to push malicious Excel XLL files that download and install the Malware on victims Windows devices.

VirusTotal Scan results for Malicious XLL Payload. Only 3 of 66 AV Scanners find this as Malware and we will use this Technique to test our Network.

Attack Demonstration

Create a Meterpreter RC4 Encrypted Payload

Firstly we need to create a DLL Payload that will give us Remote Shell on the victim device, you can use whatever you want but In this demo we will use Meterpreter RC4 Encrypted Shellcode (windows/meterpreter/reverse_tcp_rc4).

We will store this Payload and on our humble web server as a PNG format. After user clicks on the XLL Office Document it will automatically download our Malware and store it under C:\ Folder (you can always choose whatever folder you want)

Simple Python Server to stores our DLL Payload as .png format.

Listen to the communication between Attacker and Victim Device.

Create the Malicious XLL Office Document

To perform this attack we can use a Open Source project called XLL_POC (https://github.com/moohax/xllpoc) made by moo_hax.

I would like to create this attack sequence but you can always make a more evasive or creative sequence by yourself :

1. Victim opens the XLL file

2. Our Payload has been installed on Victim Device via my favorite Windows LOLBIN called Curl.exe

3. Dropped DLL Payload has been executed by Rundll32.exe under C:\nothingToSeeHereLOL.dll

4. Even if the XLL file has been closed by the Victim , our Shells still remain in memory. (Tip you can get Persistence Shell via DLL Side Loading caused by GoogleUpdate.exe go to the this URL for further information)

Clone the XLL_POC on Github page and add this simple code, it will use system() Function to execute Command line arguments on victim device.

So what ? is there any PoC video yes here we go :

https://youtu.be/gySGAGBdQpc

Abusing Notion CDN Servers to Store our Payload

If you want to store your Meterpreter Payload and bypass some URL Filters you come to the right place. Joke aside Threat actors can abuse *amazonaws.com servers to store Malwares, here is how.

During my Research on fancy methods to store Malwares I found out one of my favorite Note taking Software called Notion can able to store your Malware, well that’s a cool feature.

Here is how :

Drag and drop your DLL Payload — Copy the URL and Paste it into your Curl command .Now you have 24-hours before it gets deleted on Notion’s Server.

https://www.youtube.com/watch?v=4y9NtHlJvbY

Malicious URL for Downloading Meterpreter Payload

Analyzing the Variant of Vidar Spreading With XLL Malware

Right now you can test this attack scenario on your own LAB to perform basic Adversary Simulation.

We can continue on our Malware Analysis techniques for extracting valuable IOC data from an XLL Malware named PURCHASE ORDER AZAS112.xls.xll contains Vidar Backdoor.

You can find this Malware Sample on MalwareBazaar.

When we examine this XLL Office Document we can see that Attackers try to use a lossy technique to Phish the Victims, it can seem funny but this Phishing Technique sometimes works against humans.

Attacker set the extensions as XLS to fool the user, but it is a XLL file. We can see it on the Hex Editor it contains the MZ magic header.

Observed Malware sample on HexEditor

We can continue to our analysis with my favorite tool called PE-Bear. It is Developed by a awesome Malware Researcher called hasherezade you can find her work on this Github page.

When we put our bigger lens, we can saw the Resources section in this DLL Malware (remember XLL Office Document just contains DLL) it have an interesting data name called as DNA ,we will extract this data and continue our Research.

We can also see the XLL Document use a special Function called ‘xlAutoOpen’ to execute itself Automatically when the user clicks on it. As a Metadata we can see the Creation date/time of Malware (23.06.2022) and one more interesting String called ExcelDna64.xll

If we make a little Search about ExcelDna64.xll on Google we will make that hmm moment because it looks like this Malware samples use a tool called ExcelDna to load .NET Payload.

Just like in this example of Vidar Backdoor, Threat Actors often use Public Tooling on Github.

We can see that Vidar Backdoor must be written in .NET

Analyzing on .NET Payload

If we Extract Resource data via PE-Bear, we can see Vidar Backdoor coded in .NET ,inside the XLL Payload it named and stored as JACK , have been stored and loaded via .NET loader ExcelDna.

XML Resource File has been extract from XLL :

Initial Payload DLL called JACK :

Let’s say hi to Jack via dnspy:

If we looked at Jack.dll we can understand that, when victim open the XLL Office Document ,malicious payload Automatically execute it self as service.exe

The Payload Variable contains the Shellcode of Vidar Backdoor.

If we disassemble the Payload we can see the Command and Control Server used by Vidar Threat Actor. (himarkh[.]xyz)

Conclusion

At this moment we saw how Threat Actors are abusing the Microsoft Office Documents features like XLL to spread the Malwares, we made an Malware Analysis on Vidar Backdoor that use a interesting .NET loader technique to evade detection.

Also I showed a demonstration to how to perform a similar attack technique with XLL Payload on our LAB environment. Adversary Simulation shown on this Blog post can answer us this question, are we prepared for this kind of attack ?

At this moment when you read this Blog post , Threat Actors are still trying to find another interesting technique to evade detection and execute Malware on Corporate Networks.

Threat Actors selling their XLL Payload Generation Service on RaidForms

We have seen a growth in Malware campaigns using malicious Microsoft Excel (XLL) files to deliver Malware families such as Dridex, Agent Tesla, Raccoon Stealer and Formbook.

It is always best to be prepared for such an attack before the attack happens on your Network.

Monitoring and responding to new, emergent cyber-criminal trends is a key part of what we do in InfinitumLabs, ensuring intelligent and adaptive protection to InfinitumLabs customers.

--

--

Arda Büyükkaya
Arda Büyükkaya

Written by Arda Büyükkaya

Programmer, Malware Analyst and Vulnerability Researcher

No responses yet