Nasty Excel XLL files are spreading like crazy

A lesser known Excel file, the .XLL, is being used to spread password stealing malware across the Internet by email and online contact forms.

As reported by Bleeping Computer, emails and online forms are getting spammed with links to fake and malicious web sites which entice people to download the malware.

The malware is contained in an Excel .XLL file. XLL (eXcel Linked Library) is a collection of shared functions that VBA or other add-ins can use.  Similar to DLL (Dynamic Linked Libraries) often used by Windows programs.

Obviously, do NOT open an XLL or other unknown source file that arrives or is offered as a download, like this example download from Google Drive.

Source: Bleeping Computer

The XLL has the standard “xlAutoOpen” function. If you try to open the file, it starts Excel and tries to run the evil code inside.

Source: Bleeping Computer

But not before Excel checks that you really want to run the code.  “Leave this add-in disabled” is the only rational choice <g>.

Inside the XLL, is the info-stealing program JavaBridge32.exe known as Redline.  Redline will search the computer for valuable info like passwords and credit cards.

Tricks to make you download

These attacks are sometimes aimed at web site managers with advertising offers or asking to confirm terms like these:

Sell us advertising space on your site from $ 500 
You can read our terms on the link below 

Thanks for using our app. Your payment has been approved. You can see your payment report on the link below

Google just revealed the 100 hottest gifts of 2021 

I won $10.000. Want it too? Read and accept the terms 

It only costs $2k for a Microsoft Office hack
Look inside a real Microsoft 365 phishing attack
Make sure an email link is real not phishing, why does Microsoft makes it easier for criminals?
Office 365 is #1 – for phishing and scamming