Hancitor uses infected WORD documents & recently sent out a rare XLL file extension to bypass AV detection when users clicked on a malicious link from EMAIL spam.  Virus authors often use rare file extension types that email blocking rules may not be familiar with or programmed for in AV products.

Hancitor tries XLL as initial malware file (sans.edu)

On Thursday 2021-07-08, for a short while when Hancitor was initially active, if any victims clicked on a malicious link from the malspam, they would receive a XLL file instead of a malicious Word doc.  I tried one of the email links in my lab and received the malicious XLL file.  After other researchers reported they were receiving Word documents, I tried a few hours later and received a Word document instead.

What is an XLL file?  — XLL files are Excel add-in files.  They’re DLL files specifically designed to be run by Microsoft Excel.  Think of an XLL file as an “Excel DLL.”


Go to Source of this post
Author Of this post: harrywaldron

By admin