Recently, researchers from Yoroi conducted a technical analysis of cases of document phishing using EXCEL's XLL plug-in in a report. Yoroi pointed out that since mid-2021, the technology has been used by many attackers, and boldly predicted that XLL technology may break the office document phishing technology and become a new hot technology to change the threat landscape in 2022. This article will analyze and judge the new attack technology of XLL plug-in embedding .NET malicious code, and explore the utilization surface of XLL in the new background of .NET.
<col>
Organization name
Unknown
Tactical tabs
Document phishing, execution, defense evasion
Technical labels
Document Phishing, XLL, .NET, CLR Hosting
Sources of intelligence
https://yoroi.company/research/office-documents-may-the-xll-technique-change-the-threat-landscape-in-2022/
https://attack.mitre.org/techniques/T1137/006/
https://labs.f-secure.com/archive/add-in-opportunities-for-office-persistence/
XLL/WLL files and their persistence techniques
Microsoft allows third-party developers to use C/C++ to develop extensions for Office applications, and excel/Word extensions in the XLL/WLL file format, which is essentially a DLL file with a special suffix and an export function. Because of the particularity of the Office application extension, the icon of the XLL file is more confusing, and double clicking will directly evoke EXCEL and try to load.
Although Yoroi's recent analysis of XLL files has brought it to the forefront, there are already ways to use XLL to attack. In the Mitre ATT&CK entry "T1137.006 Office Application Launch Item", there is a description of the use of WLL/XLL for persistence, and in the May 2020 attack, the Naikon attack gang used Word's extension file WLL file for post-penetration phase persistence operations.
The persistence method of using WLL and XLL is essentially the same, using the Ofice program to load the extension DLL file and execute the malicious code in it, but the specific operation is different.
Renaming a DLL containing malicious code to the "WLL" suffix in Word's Startup trusted directory will be automatically loaded when Word starts.
The persistence exploitation of XLL is a bit cumbersome, creating the corresponding key values in the registry and placing XLL-type files in Excel's extended search directory (%appdata%\Microsoft\AddIns). Excel will search for and call the DLL export function named xlAutoOpen during execution.
The open source project introduced the .NET attack surface for XLL
The attackers used the open source project EXCEL-DNA to embed malicious .NET payloads in XLL samples, and the .NET assemblies containing malicious code were compressed and stored in the resource segments of XLL, which increased the difficulty of static detection of malicious code.
Excel-DNA provides developers with a bridge through its own XLL file (native DLL). NET develops the middle tier of Excel extensions. During execution, the XLL file completes both initializing the .NET environment and decompressing the .NET assembly of the resource segment, creating the conditions for subsequent execution.
EXCEL-DNA uses CLR Hosting technology to initialize the .NET runtime environment and implement the purpose of executing .NET programs in native programs. By initializing different operations, the attacker can choose different . The NET version is initialized, excel-DNA supports different .net 2.0 to the latest .net 4.5 overlay, and this compatibility also creates conditions for attackers to leverage existing .NET weaponization tools in XLL.
And in. After malicious code in a .NET assembly is executed, the attacker dynamically loads the next stage of the . .NET assemblies and calls functions in which the attackers . The use of the NET flexible loading feature.
. The introduction of NET extends the attack surface of XLL files to make use of . Defensive evasion technology in NET has become possible, increasing the complexity and concealment of the execution process and increasing the difficulty of detection of security products. However, the use of XLL files is still limited by some security measures, and in practice, such suspicious files can be effectively screened through mechanisms such as signatures. The open source project used by this attacker is not designed for defense evasion, and the fixed characteristics and simple load storage methods reduce the difficulty of analysis, and the threat of attacking using this open source project seems to be not enough to be afraid.
The use of XLL and clr hosting technology is not the first time, but the combination of the two gives attackers the opportunity to inject life into existing technology. In today's vigorous development of .NET's attack technology research and weapon development, this kind of attack technology undoubtedly has greater potential for use. Yoroi's researchers may be slightly overstated in their assessment that XLL technology will change the threat landscape in 2022, but this innovative attack model of old bottles of new wine deserves the attention and vigilance of Blues researchers and security vendors.