XenoRAT Weaponizes Excel XLL Files To Evade Protection Systems

   November 20, 2024  Posted in CyberSecurityNews


A new attack vector utilizing XenoRAT has been uncovered recently, it’s an open-source remote access tool, delivered through Excel XLL files.

This sophisticated approach demonstrates the evolving tactics of threat actors to bypass security measures and infiltrate systems.

SIEM as a Service

Hunt researchers stumbled upon this novel XenoRAT sample while analyzing malware repositories. The malware, typically known for targeting gamers, was found packaged as an XLL file generated using the Excel-DNA framework and protected by ConfuserEx.

Security analysts at Hunt observed that XenoRAT is coded in C# that has gained notoriety for its accessibility and widespread use in various campaigns.

Previously associated with targeting gamers via spearphishing and software masquerading, it has now expanded its reach.

Maximizing Cybersecurity ROI: Expert Tips for SME & MSP Leaders – Attend Free Webinar

Technical Analysis

The malware sample, disguised as “Payment Details,” employs a multi-stage attack process:-

  1. Initial Delivery: An XLL file generated with Excel-DNA
  2. Obfuscation: Heavy use of ConfuserEx to hinder analysis
  3. Execution Chain: Triggers a complex series of events, including:-
  • Launching an obfuscated batch file
  • Executing an SFX RAR archive
  • Displaying a decoy PDF to maintain the illusion of legitimacy
Resources of the malicious XLL file (Source – Hunt)

The attackers have implemented several sophisticated methods to evade detection:-

  • Excel-DNA Abuse: Leveraging a legitimate Excel development tool to load compressed .NET assemblies directly into memory
  • Obfuscation: Heavily obfuscated “MAIN” module to conceal functionality
  • Timestamp Manipulation: Anomalous compilation timestamp (10/22/2052) to bypass security filters

The identified command-and-control (C2) server, communicating over TCP port 1391, is hosted in Bulgaria. A self-signed certificate was detected on the RDP port, providing potential avenues for future monitoring.

This new attack vector highlights the adaptability of threat actors and the potential risks associated with less common file extensions. Security professionals are advised to:-

  • Implement stricter monitoring of XLL files and other uncommon extensions
  • Enhance detection capabilities for obfuscated malware
  • Regularly update and patch systems to mitigate potential vulnerabilities

As threat actors continue to evolve their tactics, maintaining vigilance and adapting security measures remain crucial in the ongoing battle against malware threats.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free



Source link