• Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
  • English English English en
  • Deutsch Deutsch German de
Sales: +49 5251 304-800 | Support: +49 5251 304-636
NoSpamProxy
  • HOME
  • PRODUCT
    • NoSpamProxy Cloud
    • NoSpamProxy Protection
    • NoSpamProxy Encryption
    • NoSpamProxy Large Files
    • NoSpamProxy Disclaimer
  • SUPPORT
    • Knowledge Base
    • Forum
    • Training courses
    • Support Request
    • Software-Download
    • Resources
  • PARTNERS
    • Finding Resellers
    • Becoming Reseller
    • Partner Portal
  • COMPANY
    • Team
    • Testimonials
    • Career
    • Contact
  • EVENTS
    • Events
    • Webcast Training
  • BLOG
  • FREE TRIAL VERSION
    • Price request
    • Free trial version
  • English
    • Deutsch
  • Search
  • Menu Menu
  • Excel als Malware-Schleuder Gefahr durch XLL-Dateien

Excel as a Malware Launchpad: Danger From XLL Files

Stefan Feist | Technischer Redakteur
Author: Stefan FeistTechnical Writerhttps://www.linkedin.com/in/stefan-feist-23b257b0/–Connect on LinkedIn

Criminals are always finding new ways to distribute malware, and the battle against attacks from the internet is continuously fought. Sometimes the good guys win, but no sooner is one threat defused than the next one pops up. Not only that: ransomware attacks are increasing dramatically.

In the current case, these are attacks with the help of XLL files. These are used to install malware on the victims’ computers. What XLL files are, why they are so dangerous and how NoSpamProxy protects you from this threat, you will learn in this blog article.

What are XLL files?

XLL files are Excel macro libraries and belong to the category of Excel add-ins. In newer Excel versions they have been replaced by XLAM files. Both offer the possibility to use user-defined functionalities in Microsoft Excel.

Why are XLL files dangerous?

XLLs are dynamic link libraries (DLLs) and therefore executable files. Many people know that you should not download every .exe file – but this also applies to XLL files: Like .exe files, these consist of binary code that can execute a wide variety of functions within the right host programme.

The host of an XLL file is obviously Microsoft Excel, and all files in the XLL format are automatically linked to Excel. When the user opens such a file, Excel is opened, which first asks for permission to execute the respective add-in – and thus the code it contains.

There are a variety of legitimate add-ins that can be used to extend the functionality of Excel, from calendar tools to charting to data analysis and formatting. The possibilities are almost endless – and unfortunately so are the possibilities for misuse, which the Internet Storm Center warned about as early as July 2021.

The contamination with malware Hancitor is only the first step

The criminals use various attack vectors to distribute the malicious XLL files. In some cases, victims are directed to fake websites using phishing emails, from which the XLL file is then downloaded, which in turn loads further malware.

Often, however, the XLL files are sent directly as an email attachment. If the default blocking of XLL files has been deactivated by the administrator, a single click is enough to set the infection of the computer in motion. The malware used in the cases observed by the Internet Storm Center is Hancitor (also known as Chanitor), which has been spreading since 2013 and in this scenario initially generates so-called command and control traffic (C2 traffic).

This means that the infected computer contacts a server that provides further instructions. In the recent past, two subsequent scenarios were observed after infection with Hancitor:

Attacks through Cobalt Strike in Active Directory Environments

Cobalt Strike is a legitimate commercial tool for penetration testing. It is used to re-enact attacks by cybercriminals in realistic scenarios to improve defences against criminals.

Unfortunately, Cobalt Strike is now often used by the criminals themselves, because they can execute practically any kind of command on the affected computers, transfer data, perform keylogging and much more. Cobalt Strike is used exclusively in Active Directory environments.

Attacks through Ficker Stealer

Since 2020, the Infostealer malware Ficker Stealer has appeared in increasing numbers. It is used by criminals to steal sensitive information of all kinds: passwords, FTP client information, login information and session information from various chat and email clients, credit card information and much more.

malware attack XLL files

Example of a possible malware infection through XLL files

NoSpamProxy protects against harmful XLL files

Users of NoSpamProxy are protected twice against these dangerous files, because both our Metadata Service and the content filter recognise and block them:

Easily sort out executable files

In the content filter, it is sufficient to define executable files as a condition in a content filter entry. The corresponding email is then either rejected or the XLL attachment is removed, depending on the configuration of the content filter:

content filter setting xll

Metadata Service adjusts the evaluation of emails

The Metadata Service also recognises XLL files and assigns 4 SCL points by default. This means that the Spam Confidence Level is adjusted accordingly, which means that the respective email is accurately recognised as a threat and sorted out.

Automatically protected with NoSpamProxy Cloud

Even in the standard configuration of NoSpamProxy Cloud, you are protected against threats from XLL files. Even without configuring the content filter yourself, XLL files are recognised and the respective emails are rejected.

Protect yourself from attacks with XLL files – test NoSpamProxy now!

With NoSpamProxy you can reliably protect your company against cyber attacks. Request your trial version now!

Get your free 30-day NoSpamProxy trial
  • share 
  • share 
  • tweet 
  • email 

SEARCH

PRODUCT

  • All Topics
  • NoSpamProxy Cloud
  • NoSpamProxy Protection
  • NoSpamProxy Encryption
  • NospamProxy Large Files

Knowledge Base

Knowledge Base

Note: The information in this knowledge base is only relevant for NoSpamProxy up to version 13.2. All information for NoSpamProxy 14 and higher can be found in the online documentation.

CATEGORY

  • All Topics
  • News
  • Product
  • Tech & Support
  • Events
Subscribeto RSS Feed

NoSpamProxy

  • NoSpamProxy Cloud
  • NoSpamProxy Encryption
  • NoSpamProxy Large Files
  • NoSpamProxy Disclaimer
  • Price request
  • Team
  • Career
  • General terms and conditions
  • Data Protection Information for Business Partners and Applicants
  • Cybersecurity (PSIRT)

Partners

  • Becoming a reseller
  • Partners
  • Order Certificates
  • Newsletter

Categories

  • All topics
  • News
  • Support
  • Updates
  • Order certificates

Latest News

  • Info IconCritical Outlook vulnerability: No threat to NoSpamProxy customers24.03.2023 - 15:09
  • Default filter settings in NoSpamProxy 1422.03.2023 - 10:00
  • NoSpamProxy UpdateGlobal Rollout NoSpamProxy Version 14.0.515.03.2023 - 15:20
IMPRINT • EULA • Privacy Policy • © 2023 Net at Work GmbH
  • Rss
  • LinkedIn
  • Youtube
  • Twitter
  • Instagram
Successfully fend off Rich Text File Type Evasion TricksRich Text File Type Evasion Tricks erfolgreich abwehren PreviewWie Künstliche Intelligenz Phishing skalierbar macht PreviewSpear-throwing machines: How Artificial Intelligence Makes Phishing Scalabl...
Scroll to top