Researchers Uncover XenoRAT’s New Tactics Leveraging Excel XLL Files and Advanced Obfuscation

ransomware attacks bill

Hunt researchers have discovered a novel deployment of XenoRAT, an open-source remote access tool (RAT), leveraging Excel XLL files and advanced obfuscation methods. Known for targeting gamers and posing as legitimate software, this new version marks a significant shift, with potential implications for enterprise networks. According to Hunt, the sample, titled “Payment Details,” was “delivered as an XLL file generated with the open-source Excel-DNA framework, protected by ConfuserEx.”

Traditionally spread through spearphishing and GitHub repositories, this version of XenoRAT utilizes Excel XLL files for delivery. The malicious file, “Payment_Details.xll,” acts as a dropper, deploying the XenoRAT payload alongside another remote access tool. As Hunt researchers note, “Excel-DNA’s ability to load compressed .NET assemblies directly into memory makes it attractive to malware authors seeking to deliver malicious payloads.”

The malware employs ConfuserEx for protection, making detection and analysis significantly more challenging. Tools like Detect It Easy revealed layers of obfuscation, with Hunt stating, “The threat actor(s) went to a great deal of trouble to hinder analysis.

The infection chain begins with the execution of “Payment_Details.xll,” which triggers an obfuscated batch file, “cfgdf.bat.” This initiates the execution of a password-protected SFX RAR archive, resulting in multiple stages:

XenoRAT - Excel XLL

“Pago.pdf” contents used as a decoy to the victim | Image: Hunt

  1. A decoy PDF, “Pago.pdf,” opens, designed to appear as a legitimate financial document.
  2. An additional executable, “cvghfy.exe,” is extracted and executed, containing the obfuscated XenoRAT payload.
  3. Finally, the “Original.exe” file is unpacked, revealing XenoRAT’s configuration and its hardcoded command-and-control (C2) server address: 87.120.116[.]115, communicating over TCP port 1391.

The use of manipulated compilation timestamps further complicates detection, with Hunt reporting an anomalous timestamp set to 10/22/2052, likely to evade heuristics-based security systems.

This deployment suggests a shift in focus from individual users to enterprises. By embedding malicious activity in legitimate tools like Excel-DNA, the attackers demonstrate a capacity to breach trusted environments. Hunt emphasizes, “This method suggests an increased focus on gaining access to enterprise networks, moving beyond XenoRAT’s typical focus on individual users.”

By using Excel XLL files and layering obfuscation with tools like ConfuserEx, attackers have increased the complexity of their campaigns. This discovery highlights the need for vigilance, with Hunt concluding, “Threat actors continue finding ways to exploit trusted software.”

Related Posts: