Detecting XLL files used for dropping FIN7 JSSLoader with Wazuh
JSSLoader is a remote access trojan by the Russian FIN7 hacking group. There has been an increase in the number of JSSLoader infections this year. These infections have been utilizing Microsoft Excel add-in files (XLL files) to drop the JSSLoader trojan to victim machines.
In this blog post, we use Wazuh to detect when an XLL file is used as a dropper for the JSSLoader trojan on a Windows endpoint. It is important to detect this dropper activity so we can respond to the JSSLoader infection before it takes root.
XLL dropper behavior
The recent infection chain leverages email to deliver the XLL file. Once the file is downloaded and opened, the malicious code in the file is loaded and executed by Excel. Then the following behavior is observed:
- Execution of unsigned binaries: An Excel popup appears, which asks the user if the add-in should be executed because it’s unsigned. In the logs of the infected machine, we see this activity as an image loaded by Excel with its signed status as false.
Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE ImageLoaded: C:\Users\chris\Downloads\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6\8783eb00acb3196a270c9be1e06d4841bf1686c7f7fc6e009d6172daf0172fc6.xll FileVersion: 1.1.0.3 Description: Excel-DNA Dynamic Link Library Product: Excel-DNA Add-In Framework for Microsoft Excel Company: Govert van Drimmelen OriginalFileName: ExcelDna.xll Hashes: SHA1=6B8F41B0BD35C0C4E6972A2C6B9D4ABEBF0861E9,MD5=8728DF136AF4050C1CE4E3C56E26B755,SHA256=8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6,IMPHASH=5E95C28CC2C318698383B346E766F577 Signed: false
- DNS query for a malicious domain: From the execution logs, we see a DNS query for physiciansofficenews[.]com by Excel to retrieve the JSSLoader trojan. Other domains identified as being used for delivery of the trojan include thechinastyle[.]com and divorceradio[.]com.
UtcTime: 2022-04-05 07:58:50.837
ProcessGuid: {ef5984a4-f69d-624b-dd04-000000000500}
ProcessId: 4976
QueryName: physiciansofficenews[.]com
QueryStatus: 0
QueryResults: ::ffff:209[.]99[.]64[.]51;
Image: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
- Creation and execution of an executable temporary file with DNA prefix: The XLL file downloads a
.tmpfile with the DNA prefix in the%TEMP%directory of the user, then executes this temporary file. The.tmpfile downloaded is the JSSLoader trojan.
Image: C:\Users\chris\AppData\Local\Temp\DNAxxx.tmp
CommandLine: C:\Users\chris\AppData\Local\Temp\DNAxxx.tmp
CurrentDirectory: C:\Users\chris\Documents\
User: DESKTOP-PQKPK46\chris
LogonGuid: {ef5984a4-0f92-624c-8023-030000000000}
LogonId: 0x32380
TerminalSessionId: 1
IntegrityLevel: Medium
Hashes: SHA1=CE2AA4C6A7A2235C3C9F7233933DD7CD9DD44D09,MD5=22616070ACE3C7377135EBC3B97964C5,SHA256=45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41,IMPHASH=00000000000000000000000000000000
ParentProcessGuid: {ef5984a4-2de5-624c-1402-000000000700}
ParentProcessId: 6820
ParentImage: C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE
The use of the .tmp extension is to bypass malware scanners and monitoring tools that may be looking for the creation of executable files (.exe, .bin, etc.) but not temporary files. The temporary file created can still be executed and is just a way of masquerading.
Detection with Wazuh
Wazuh provides rules for threat and anomaly detection. We can extend some of these base rules to improve coverage for malicious behavior by FIN7 XLL dropper files.
Requirements
On the Windows endpoint
- Download Sysmon from the Microsoft Sysinternals page.
- Download the Sysmon configuration file.
- Launch the CMD as an administrator and install Sysmon using the command below:
Sysmon64.exe -accepteula -i sysconfig.xml
- Edit the
ossec.conffile to specify the location to collect Sysmon logs:
<localfile> <location>Microsoft-Windows-Sysmon/Operational</location> <log_format>eventchannel</log_format> </localfile>
- Restart the Wazuh agent for changes to apply.
On the Wazuh manager
We proceed to create rules to detect the identified XLL dropper file behaviors by adding the following rules in our local_rules.xml file.
- Execution of unsigned binaries: For execution of unsigned binaries, we create rules to detect when Excel loads an add-in as it is a popular source for running malicious files. Then we detect if the add-in loaded is unsigned.
<group name="malware_detection,fin7,">
<rule id="100002" level="0">
<if_sid>61609</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field>
<description>Application $(win.eventdata.imageLoaded) loaded by excel.exe.</description>
<mitre>
<id>T1204</id>
<id>T1137</id>
</mitre>
</rule>
<rule id="100003" level="3">
<if_sid>100002</if_sid>
<field name="win.eventdata.imageLoaded" type="pcre2">(?i)(.xll|.xla|.xlam)</field>
<description>Add-in $(win.eventdata.originalFileName) loaded by excel.exe.</description>
<mitre>
<id>T1137</id>
<id>T1137.001</id>
</mitre>
</rule>
<rule id="100004" level="7">
<if_sid>100003</if_sid>
<field name="win.eventdata.signed" type="pcre2">^false$</field>
<description>Unsigned add-in $(win.eventdata.originalFileName) loaded by excel.exe. Possible malicious activity.</description>
<mitre>
<id>T1204</id>
<id>T1204.002</id>
<id>T1137</id>
<id>T1137.001</id>
</mitre>
</rule>
</group>
- DNS query for a malicious domain: Here, we create rules to detect when Excel makes a DNS query for a known JSSLoader distributor domain.
<group name="malware_detection,fin7,">
<rule id="100005" level="0">
<if_sid>61600</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)excel.exe</field>
<field name="win.system.eventID" type="pcre2">^22$</field>
<description>Excel made a network request.</description>
</rule>
<rule id="100006" level="15">
<if_sid>100005</if_sid>
<field name="win.eventdata.queryName" type="pcre2">(?i)(physiciansofficenews.com|thechinastyle.com|divorceradio.com)</field>
<description>Excel made a network request to JSSLoader dropper domains.</description>
<mitre>
<id>T1105</id>
</mitre>
</rule>
</group>
- Creation and execution of an executable temporary file with DNA prefix: For this behavior, we create rules to detect when a
.tmpfile is loaded for execution. We also create rules to detect if the file loaded has a DNA prefix which is an indicator that it is a FIN7 JSSLoader file.
<group name="malware_detection,fin7,">
<rule id="100007" level="0">
<if_sid>61603</if_sid>
<field name="win.eventdata.parentImage" type="pcre2">(?i)excel.exe</field>
<description>$(win.eventdata.image) Process launched by excel.</description>
<mitre>
<id>T1059</id>
</mitre>
</rule>
<rule id="100008" level="7">
<if_sid>100007</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i).tmp</field>
<description>$(win.eventdata.image) executable masquerading as a TMP file was launched by excel. Possible FIN7 JSSLoader execution.</description>
<mitre>
<id>T1036</id>
<id>T1059</id>
<id>T1059.005</id>
</mitre>
</rule>
<rule id="100009" level="15">
<if_sid>100008</if_sid>
<field name="win.eventdata.image" type="pcre2">(?i)DNA</field>
<description>$(win.eventdata.image) executable masquerading as a .TMP file launched by excel. DNA prefix is typically associated with FIN7 JSSLoader.</description>
<mitre>
<id>T1036</id>
<id>T1059</id>
<id>T1059.005</id>
</mitre>
</rule>
</group>
Once the rules have been created, we restart the manager to apply the changes.
Detection results
Upon execution of the malicious XLL dropper file on an endpoint that is enrolled to Wazuh, we see that the rules created detect the malicious behavior and generate alerts.
Conclusion
In this article, we successfully created rules to detect when a malicious XLL dropper file is being used to download and execute the FIN7 JSSLoader RAT. It is also possible for Wazuh to detect and remove a malicious file like the XLL dropper before it is executed by a user. We illustrate this in our proof of concept guide where we check the hash of a downloaded file in Virustotal and then perform an active response on the file if it is malicious.