Security News > 2022 > March > Malicious Microsoft Excel add-ins used to deliver RAT malware
Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins.
The latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at Morphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.
Abuse of Excel XLL add-ins isn't new, as they are commonly used for legitimate purposes, such as importing data into a worksheet or extending the functionality of Excel.
When enabled, the XLL files use malicious code inside an xlAutoOpen function to load itself into memory and then download the payload from a remote server and execute it as a new process via an API call.
Compared to older versions, the new JSSLoader has the same execution flow, but it now comes with a new layer of string obfuscation that includes renaming all functions and variables.
To evade detection from string-based YARA rules used by defenders, the new RAT has split the strings into sub-strings and concatenates them at runtime.