Websites with comment sections, message boards, and discussion forums have been compromised by trojan malware stealing passwords through a seemingly harmless Microsoft Excel file.
Bleeping Computer has shared a report confirming that for the past two weeks an anonymous group of hackers has been spamming contact forms and discussion boards of several websites with false advertisements e.g., holiday season gift guides, or website promotions. In some cases, attackers have even created fake websites with famous brand names and placed a malicious Excel XLL file on them as bait.
An XLL file is an Excel Add-in file. These provide a way to use third-party tools and functions in Microsoft Excel that aren’t natively part of the software. These functions allow Excel to read and write data, import it from other sources, create custom functions, and perform various tasks.
In this case, the function downloads and installs the RedLine malware. RedLine is a Trojan designed to gather information such as login credentials or credit card information from a system. It can even execute commands, download and activate additional malware, and take screenshots of active Windows screens.
As soon as RedLine gets installed on a system, it starts accessing all the sensitive information that the victim’s web browser stores, and transfers all this information to their command and control servers, where operators are waiting to sort and sell this data to the black market.
XLL files being executable is potentially dangerous. Users must take special care when receiving these files and must ensure that they are getting them from a trustworthy source before running them.
