Phishing malware

Cybercriminals are spamming website contact forms and discussion forums to distribute Excel XLL files that download and install the RedLine password and information-stealing malware.

RedLine is an information-stealing Trojan that steals cookies, user names and passwords, and credit cards stored in web browsers, as well as FTP credentials and files from an infected device.

In addition to stealing data, RedLine can execute commands, download and run further malware, and create screenshots of the active Windows screen.

All of this data is collected and sent back to the attackers to be sold on criminal marketplaces or used for other malicious and fraudulent activity.

Spamming contact forms and discussion forums

Over the past two weeks, BleepingComputer's contact forms have been spammed numerous times with different phishing lures, including fake advertising requests, holiday gift guides, and website promotions.

After researching the lures, BleepingComputer has discovered this to be a widespread campaign targeting many websites using public forums or article comment systems.

In some phishing lures seen by BleepingComputer, the threat actors have created fake websites to host the malicious Excel XLL files used to install the malware.

For example, one campaign used the following spam message and a fake website that imitated the legitimate Plutio site.

Everything you need to run your business.  Manage projects, create dazzling proposals  and get paid faster. Black Friday! All plans are FREE, no credit card required. 

Fake Plutio website developed to push malicious XLL files
Fake Plutio website developed to push malicious XLL files
Source: BleepingComputer

Other spam messages pretend to be payment reports, requests for advertising, or gift guides with links to malicious XLL files hosted on Google Drive, as shown below.

Malicious XLL file hosted on Google Drive
Malicious XLL file hosted on Google Drive
Source: BleepingComputer

Of particular interest is a lure targeting web site owners with requests to advertise on their site and asking them to review the terms of the offer. This leads to a malicious 'terms.xll' file that installs the malware.

Sell us advertising space on your site from $ 500 
You can read our terms on the link below 
https://drive.google[.]com/file/d/xxx/view?usp=sharing

Other lures seen by BleepingComputer this week are:

Thanks for using our app. Your payment has been approved. You can see your payment report on the link below https://xxx[.]link/report.xll

Google just revealed the 100 hottest gifts of 2021 
 
I won $10.000. Want it too? Read and accept the terms 
https://drive.google[.]com/file/d/xxx/view?usp=sharing

Abusing Excel XLL files

These spam campaigns are designed to push malicious Excel XLL files that download and install the RedLine malware on victims' Windows devices.

An XLL file is an add-in that allows developers to extend the functionality of Excel by reading and writing data, importing data from other sources, or creating custom functions to perform various tasks.

XLL files are simply a DLL file that includes an 'xlAutoOpen' function executed by Microsoft Excel when the add-in is opened.

Opening malicious add-in in Excel
Opening malicious add-in in Excel
Source: BleepingComputer

While tests conducted by BleepingComputer and security researcher TheAnalyst, with who we discussed the attack, are not correctly loading the XLL file, they may work in other versions of Microsoft Excel.

However, manually executing the DLL with the regsvr32.exe command or the 'rundll32 name.xll, xlAutoOpen' command will extract the wget.exe program to the %UserProfile% folder and use it to download the RedLine binary from a remote site.

XLL DLL downloading the RedLine malware using wget
XLL DLL downloading the RedLine malware using wget
Source: BleepingComputer

This malicious binary is saved as %UserProfile%\JavaBridge32.exe [VirusTotal] and then executed.

A Registry autorun entry will also be created to automatically launch the RedLine information-stealer every time victims log into Windows. 

RedLine autorun added to the Windows Registry
RedLine autorun added to the Windows Registry
Source: BleepingComputer

Once the malware is executed, it will search for valuable data to steal, including credentials and credit cards stored in the Chrome, Edge, Firefox, Brave, and Opera browsers.

If you have become a victim of this campaign, you should assume that your stored passwords are compromised and immediately change them. Additionally, if you have credit cards stored in your browsers, you should contact your credit card company to alert them of the incident.

As XLL files are executables, threat actors can use them to perform a variety of malicious behavior on a device. Therefore, you must never open one unless it comes from a trusted source.

These files are not generally sent as attachments but instead installed through another program or via your Windows admin.

Therefore, if you receive an email or other message distributing these types of files, simply delete the message and report it as spam.

Related Articles:

Fake cheat lures gamers into spreading infostealer malware

Malicious PowerShell script pushing malware looks AI-written

Chrome Enterprise gets Premium security but you have to pay for it

Visa warns of new JSOutProx malware variant targeting financial orgs

Activision: Enable 2FA to secure accounts recently stolen by malware

IOCs

XLL files:

terms.xll, report.xll, terms_of_use.xll
f6c06615e35798274dfa9c4b28aaa6d94220804e766e9a70c4f0dab4779ee1db

RedLine:

JavaBridge32.exe: 626db53138176b8a371878ebaa2dbbd724be9a74f9f82ef9ebb7b7bfc0c6b2e9