XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method

Published on

Published on

Published on

Nov 19, 2024

Nov 19, 2024

Nov 19, 2024

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
TABLE OF CONTENTS

While combing through malware repositories for interesting files to analyze, Hunt researchers encountered a XenoRAT sample that stood out-not for its core functionality, but for the tools used to deliver it. Known for typically targeting gamers and posing as legitimate software, this open-source remote access tool was, in this case, delivered as an XLL file generated with the open-source Excel-DNA framework, protected by ConfuserEx, and titled "Payment Details." 

This post will explore the tactical shifts observed in this version of XenoRAT's deployment, focusing on the infrastructure, protective layers, and key changes defenders should watch closely. 

Key Points:

  • Unusual Delivery Tactic: XenoRAT was deployed through Excel XLL files, marking a departure from previously seen delivery vectors.
  • Enhanced Protection: ConfuserEx adds a layer of protection, making the malware more challenging to detect and analyze.
  • Expanded Target Potential: This method suggests an increased focus on gaining access to enterprise networks, moving beyond XenoRAT's typical focus on individual users.

XenoRAT Overview

XenoRAT is an open-source remote access tool (RAT) coded in C# and hosted on GitHub, where its accessibility has enabled widespread use in various campaigns. Known primarily for targeting individual users, especially gamers, through spearphishing and software masquerading as legitimate downloads, XenoRAT has also been delivered through GitHub repositories and communicating with .gg top level domains, as observed in one of our previous blog posts about XenoRAT.

More recently, Cisco Talos highlighted a shift in XenoRAT's usage, with a North Korean-linked actor, tracked as UAT-5394, deploying a customized variant. 

We'll now shift our focus to the sample that caught our attention, Payment_Details.xll.

Special Delivery: Excel XLL and ConfuserEx

Found on Any Run, "21102024_0022_18102024_Payment_Details.gz.zip" (SHA-256: 7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e) was downloaded to an analysis environment, and uncovered two files: "Payment_Details.xll" and "PlainText.txt." The latter contains a brief, generic message accompanied by a disclaimer often seen in business email communications, likely crafted to gain the targets trust as part of a financial transaction. 

Contents of PlainText.txt
Figure 1: Contents of PlainText.txt.

Payment_Details.xll

SHA-256: 48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152

This file's main purpose is as a dropper, deploying XenoRAT along with an additional remote access tool, which we will cover below. The sample abuses the Excel-DNA framework-a legitimate tool for Excel development. Excel-DNA's ability to load compressed .NET assemblies directly into memory makes it attractive to malware authors seeking to deliver malicious payloads.

Examining the file's embedded resources reveals a heavily obfuscated "MAIN" module. Under typical circumstances, this module would specify the exact .NET component loaded by Excel-DNA; however, in this instance, the obfuscation conceals its true functionality, likely to evade security detections.

Resources of the malicious XLL file
Figure 2: Resources of the malicious XLL file.

Executing the XLL file initiates a complex process chain, with several key events occurring in rapid succession. Shortly after launch, an obfuscated batch file, "cfgdf.bat," is triggered. Though heavily obfuscated, it ultimately initiates the executable "zgouble.sfx.exe," an SFX RAR archive, which likely extracts its contents into the Temp directory.

A heavily obfuscated cfgdf.bat
Figure 3: A heavily obfuscated cfgdf.bat.

While these background processes are underway, a decoy PDF named "Pago.pdf" opens visibly on the user's screen. "Pago," meaning "pay" or "paid" in Spanish, aligns with the document's intent to appear as part of a legitimate financial transaction. Although the PDF is blurry, faint column headings like 'Date' and 'Subtotal' are barely visible, likely another attempt to add to the authenticity of the communications between the user and the threat actor.

"Pago.pdf" contents used as a decoy to the victim
Figure 4: "Pago.pdf" contents used as a decoy to the victim.

The SFX archive is password-protected, limiting direct interaction with its contents. However, as the process chain progresses, another executable, "cvghfy.exe," runs, likely extracted from within the archive. Using tools like Detect It Easy reveals signs of obfuscation, packing, and the use of ConfuserEx-indicating the threat actor(s) went to a great deal of trouble to hinder analysis. 

Analysis results of cvghfy.exe
Figure 5: Analysis results of cvghfy.exe

Using an awesome tool like Unpac.me, we were able to uncover an additional executable, "Original.exe," (SHA-256: 18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb)  the latter identified as the XenoRAT payload. Opening Original.exe in dnSpy exposes XenoRAT's configuration, including the hardcoded command-and-control (C2) server address.

XenoRAT hardcoded IP address and configuration data
Figure 6: XenoRAT hardcoded IP address and configuration data. 

Further analysis of the file's metadata shows an anomalous compilation timestamp of 10/22/2052, a manipulation tactic likely employed to evade detection based on standard file timestamp heuristics. This alteration obscures the file's actual age, allowing it to bypass security filters that often rely on creation dates for detection.

Compilation timestamp for the XenoRAT file
Figure 7: Compilation timestamp for the XenoRAT file.

Network Infrastructure

The identified C2 IP address, 87.120.116[.]115, communicates over TCP port 1391 and is hosted within ASN 401115 (EKABI) in Bulgaria, providing few opportunities to pivot toward additional infrastructure linked to this activity.

A self-signed certificate with the common name WIN-HM6FI4VOIEP was detected on RDP port 3389 around the same time this file surfaced. Although we could not uncover additional servers linked to this campaign, the IP address and indicators provided here offer a useful foundation for monitoring in case these tactics reemerge in future activity.

Conclusion

This analysis shed light on a unique deployment of XenoRAT, where traditional tactics gave way to an Excel XLL delivery and layered obfuscation. By leveraging legitimate tools like Excel-DNA and ConfuserEx, the attackers demonstrated how adaptable open-source malware can be, embedding malicious activity within familiar file types and tools. 

This shift in tactics reinforces the need for vigilance, including monitoring or blocking less commonly used file extensions, as threat actors continue finding ways to exploit trusted software.

Network Observables

IP AddressHosting CountryASNNotes
87.120.116[.]115:1391NLEKABIXenoRAT C2 Server

Host Observables

File NameFile TypeSHA-256
Payment_Details.gz.zipZip7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e
Payment_Details.xllXLL48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152
Pago.pdfPDF7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d
cfgdf.batBat18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8
cvghfy.sfx.exeSFX RAR72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17b
cvghfy.exeEXE46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1
Original.exeEXE18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb
TABLE OF CONTENTS

While combing through malware repositories for interesting files to analyze, Hunt researchers encountered a XenoRAT sample that stood out-not for its core functionality, but for the tools used to deliver it. Known for typically targeting gamers and posing as legitimate software, this open-source remote access tool was, in this case, delivered as an XLL file generated with the open-source Excel-DNA framework, protected by ConfuserEx, and titled "Payment Details." 

This post will explore the tactical shifts observed in this version of XenoRAT's deployment, focusing on the infrastructure, protective layers, and key changes defenders should watch closely. 

Key Points:

  • Unusual Delivery Tactic: XenoRAT was deployed through Excel XLL files, marking a departure from previously seen delivery vectors.
  • Enhanced Protection: ConfuserEx adds a layer of protection, making the malware more challenging to detect and analyze.
  • Expanded Target Potential: This method suggests an increased focus on gaining access to enterprise networks, moving beyond XenoRAT's typical focus on individual users.

XenoRAT Overview

XenoRAT is an open-source remote access tool (RAT) coded in C# and hosted on GitHub, where its accessibility has enabled widespread use in various campaigns. Known primarily for targeting individual users, especially gamers, through spearphishing and software masquerading as legitimate downloads, XenoRAT has also been delivered through GitHub repositories and communicating with .gg top level domains, as observed in one of our previous blog posts about XenoRAT.

More recently, Cisco Talos highlighted a shift in XenoRAT's usage, with a North Korean-linked actor, tracked as UAT-5394, deploying a customized variant. 

We'll now shift our focus to the sample that caught our attention, Payment_Details.xll.

Special Delivery: Excel XLL and ConfuserEx

Found on Any Run, "21102024_0022_18102024_Payment_Details.gz.zip" (SHA-256: 7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e) was downloaded to an analysis environment, and uncovered two files: "Payment_Details.xll" and "PlainText.txt." The latter contains a brief, generic message accompanied by a disclaimer often seen in business email communications, likely crafted to gain the targets trust as part of a financial transaction. 

Contents of PlainText.txt
Figure 1: Contents of PlainText.txt.

Payment_Details.xll

SHA-256: 48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152

This file's main purpose is as a dropper, deploying XenoRAT along with an additional remote access tool, which we will cover below. The sample abuses the Excel-DNA framework-a legitimate tool for Excel development. Excel-DNA's ability to load compressed .NET assemblies directly into memory makes it attractive to malware authors seeking to deliver malicious payloads.

Examining the file's embedded resources reveals a heavily obfuscated "MAIN" module. Under typical circumstances, this module would specify the exact .NET component loaded by Excel-DNA; however, in this instance, the obfuscation conceals its true functionality, likely to evade security detections.

Resources of the malicious XLL file
Figure 2: Resources of the malicious XLL file.

Executing the XLL file initiates a complex process chain, with several key events occurring in rapid succession. Shortly after launch, an obfuscated batch file, "cfgdf.bat," is triggered. Though heavily obfuscated, it ultimately initiates the executable "zgouble.sfx.exe," an SFX RAR archive, which likely extracts its contents into the Temp directory.

A heavily obfuscated cfgdf.bat
Figure 3: A heavily obfuscated cfgdf.bat.

While these background processes are underway, a decoy PDF named "Pago.pdf" opens visibly on the user's screen. "Pago," meaning "pay" or "paid" in Spanish, aligns with the document's intent to appear as part of a legitimate financial transaction. Although the PDF is blurry, faint column headings like 'Date' and 'Subtotal' are barely visible, likely another attempt to add to the authenticity of the communications between the user and the threat actor.

"Pago.pdf" contents used as a decoy to the victim
Figure 4: "Pago.pdf" contents used as a decoy to the victim.

The SFX archive is password-protected, limiting direct interaction with its contents. However, as the process chain progresses, another executable, "cvghfy.exe," runs, likely extracted from within the archive. Using tools like Detect It Easy reveals signs of obfuscation, packing, and the use of ConfuserEx-indicating the threat actor(s) went to a great deal of trouble to hinder analysis. 

Analysis results of cvghfy.exe
Figure 5: Analysis results of cvghfy.exe

Using an awesome tool like Unpac.me, we were able to uncover an additional executable, "Original.exe," (SHA-256: 18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb)  the latter identified as the XenoRAT payload. Opening Original.exe in dnSpy exposes XenoRAT's configuration, including the hardcoded command-and-control (C2) server address.

XenoRAT hardcoded IP address and configuration data
Figure 6: XenoRAT hardcoded IP address and configuration data. 

Further analysis of the file's metadata shows an anomalous compilation timestamp of 10/22/2052, a manipulation tactic likely employed to evade detection based on standard file timestamp heuristics. This alteration obscures the file's actual age, allowing it to bypass security filters that often rely on creation dates for detection.

Compilation timestamp for the XenoRAT file
Figure 7: Compilation timestamp for the XenoRAT file.

Network Infrastructure

The identified C2 IP address, 87.120.116[.]115, communicates over TCP port 1391 and is hosted within ASN 401115 (EKABI) in Bulgaria, providing few opportunities to pivot toward additional infrastructure linked to this activity.

A self-signed certificate with the common name WIN-HM6FI4VOIEP was detected on RDP port 3389 around the same time this file surfaced. Although we could not uncover additional servers linked to this campaign, the IP address and indicators provided here offer a useful foundation for monitoring in case these tactics reemerge in future activity.

Conclusion

This analysis shed light on a unique deployment of XenoRAT, where traditional tactics gave way to an Excel XLL delivery and layered obfuscation. By leveraging legitimate tools like Excel-DNA and ConfuserEx, the attackers demonstrated how adaptable open-source malware can be, embedding malicious activity within familiar file types and tools. 

This shift in tactics reinforces the need for vigilance, including monitoring or blocking less commonly used file extensions, as threat actors continue finding ways to exploit trusted software.

Network Observables

IP AddressHosting CountryASNNotes
87.120.116[.]115:1391NLEKABIXenoRAT C2 Server

Host Observables

File NameFile TypeSHA-256
Payment_Details.gz.zipZip7fddca3e05425b8ec73f701334a57532f9b6bc626f8402de5135de91b8a0b59e
Payment_Details.xllXLL48a60db5241e6ecadbb9705ed014ba58ea9608d5ae0264db04fe70201fd1b152
Pago.pdfPDF7a0e40d4c39eae8f7415cb44504e04c1baf41f57e797308f026409c7353ed03d
cfgdf.batBat18abc987c2a04a7c576d7a5c86588467cbf6cc2bb15eadbc60c0336e2fff11d8
cvghfy.sfx.exeSFX RAR72722737a28ed8371130b181f99a12bd7f43b9cb9043e7a1257c08394e57e17b
cvghfy.exeEXE46affe6213f26e1a5446134c994e14d3f3f500e3c88f7867e3102c4b171cead1
Original.exeEXE18aa15aaf6886e277aea1333b546be83a56bccdfa7a64ce5243ebed2dd2541fb

Related Posts:

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Rare Watermark Links Cobalt Strike 4.10 Team Servers to Ongoing Suspicious Activity
Dec 3, 2024

Uncover the infrastructure and learn how a unique watermark led to the discovery of Cobalt Strike 4.10 team servers impersonating well-known brands.

 Uncovering Threat Actor Tactics: How Open Directories Provide Insight into XWorm Delivery Strategies
Nov 28, 2024

Learn how threat actors leverage open directories to deliver XWorm malware disguised as popular software, providing insight into their tactics.