<— Back

XLLing in Excel – the world of malicious add-ins

When Microsoft announced that they will prevent downloaded VBA macros from executing and users won’t be able to work around that there was an audible sigh of relief in the anti malware researcher’s community. For decades, VBA macros have been one of the main infection vectors employed by many actors, from commodity malware developers to cybercriminals and state sponsored groups. This change will be gradual as we will have to wait until most of the users upgrade to the latest versions of Microsoft Office. Nevertheless, it marks a step change in the malware resilience of Office applications even if take in account that security vulnerabilities will provide another port of entry for malicious code for the foreseeable future. VBA macros and vulnerabilities are not the only way for malicious code to interact with the rich capabilities of Microsoft Office and use Office programs to infect systems. For example, native Excel XLL add-ins, according to Microsoft, are files with extension .xll, a type of dynamic link library (DLL) file that can only be opened by Excel. XLL add-in files must be written in C or C++. 

The C API has none of the higher-level rapid development features of Microsoft Visual Basic for Applications (VBA), COM, or the Microsoft .NET Framework. Memory management is low level, and therefore puts greater responsibility on the developer. Many Excel features that are exposed through COM, making them available through VBA and the .NET Framework, are not exposed to the C API. For malicious actors to run their code when Excel opens an XLL file, the XLL file must contain one of the well-known exported functions which will called when specific events in Excel are triggered. For example, xlAutoOpen, is called by Excel whenever the XLL is activated and xlAutoClose whenever the XLL is unloaded.   

The development of XLL add-ins requires a level of proficiency in C/C++ programming which malware actors often don’t possess so there are several builders that allow threat actors to build certain types of XLL without an in-depth programming knowledge and the API functions. There are other frameworks, such as Excel-DNA which allows easy creation of XLL files using .NET languages. Although XLL files have been used by malicious actors since their introduction by Microsoft, we have observed an increase in their usage since Microsoft announced the discontinuation of VBA macros, even if that decision was temporarily reverted.  

In this presentation, we dive into the world of Microsoft Excell Add-ins and XLL malware. We start with the development process, the official tools such as Excel XLL SDK and the API available to Excel Add-Ins and continue with documenting other tools for building XLL files.  

We discuss evolution of XLL samples since their inception and specifically focus on the most interesting examples indicating that the interest in XLL add-ins is not just in the domain of the most prevalent families of commodity malware.  

We finish with recommendations on how to protect against XLL plugins and the best ways of detecting them.  

Attendees of the session will obtain an in-depth knowledge about developing XLL files as well as information about malware families using them as infection vectors.

Vanja Svajcer

Vanja Svajcer works as a Technical Leader at Cisco Talos. He is a security researcher with more than 20 years of experience in malware research and detection development. Prior to joining Talos, Vanja worked as a Principal Researcher for SophosLabs and led a Security Research Team at Hewlett Packard Enterprise.

Vanja enjoys tinkering with automated analysis systems, reversing binaries and analysing mobile malware. He thinks time spent scraping telemetry data to find indicators of new attacks is well worth the effort. He presented his work at conferences such as Virus Bulletin, RSA, CARO, AVAR, BalcCon and others.

In his free time, he is trying to improve his acoustic guitar skills and often plays basketball, which at his age is not a recommended activity