Cyber security

XLL Dropper – Mastering A Red Team’s Ultimate Weapon

Write XLL Dropper in c++ , a red teams most used dropper , learn how to be like a red teams and APT groups by building your XLL Dropper

Before we dig deeper, what is the Hack Dropper, and what the Hack is the XLL Dropper what are the differences and when to use it and why to use it and not use an exe dropper

What The Hack Is Dropper

A Dropper is like a delivery vehicle that has a payload to drop when it arrives at the target location! We can take an example of Amazon delivery autopilot drones which carry multiple payloads and when they arrive at a location it drop,

The payload on the door of the house Same for the Dropper in malware the dropper can carry 1 payload or more for example an old Dropper may carry 1 video or photo and 1 rat and the hacker can create an icon from the image that the dropper carries and change

The icon of the exe to the new icon and spoof the extension of the exe to be dropper.png.exe and because windows default settings will not show the extension it will appear like this dropper.png

The correct extension will be hidden When the hacker sends it to the target and the target clicks on it in 1 click it will drop the image and run it and will drop the RAT and run it in 1 click the will fool the target he clicking on

The image because see they image show up in his windows But what he did not know was that the image may maybe in the temp folder

What Is The Hack Is XLL Dropper And How Does It Work

Xll is a file extension or plugin for excel files xll files are similar to dlls they are the same but the xll is not a normal executable file,

It is a plugin for excel files for example you can write a plugin for excel files and in the plugin, you can add functions to calculate or add a formula for you and in excel you can import the plugin or xll file and start using the functions that you create in the plugins.

There is 1 more difference between the dll and xll files in dll you can not click it to launch the only way to use it without loading it using exe using loadlibraryA is by using the Rundll32.exe it but with xll, you can 1 click to launch it and use it when you click on the xll file the Excel will launch and you can start using excel with xll loaded

But to make a 1 click xll dropper work there is a very important function we will use int WINAPI xlAutoOpen(void);

The functions take no arguments , For this function to be used correctly we need to export it from the xll file so the excel can use it and to make the xll file valid xll or the xll file will not opened using excel and will show an error

How The Xll Dropper Works

Same as the exe dropper but these days exe files and extension spoofing are very detected So as a solution Hackers and developers start using XLL files,

To deliver their payload because Excel files are widely used in companies almost every company uses Excel So how does the xll drooper work? When a target clicks an xll file the excel.exe will import the xll file and search for the function xlAutoOpen

If he finds it he triggers the function Inside the xlAutoOpen function the hacker does what a normal dropper does like dropping the excel file to the temp directory to fool the employee and drop the Rat and starting them both

The target will see the excel file show up on his window so and the Rat will run in the background so no suspicious

When to use Xll Dropper and when to use Exe Dropper? So what to use? it depends on what are you targeting Of course not all the targets will have excel installed so does the xll dropper worse The answer is yes if you are targeting a youtube channel , company employee You can use the xll dropper but if you are targeting random people you can use only Dropper as a PDF dropper by spoofing the extension and doing some icon changes which I don’t recommend

Now there are a few tools you need to download before we start coding

1 – Visual studio IDE 2 – Excel or Microsoft Office 3 – Putty to test the dropper you can use any other portable software 4 – Download Excel 2013 SDK from Microsoft.

The installation is very easy

Lets start writing the XLL Dropper by creating a new dll project

As an Option You can disable precompiled headers you can do that by opening the project properties C/C++ Precompiled headers Precompiled headers change use /Yu to not using precompiled headers

Now you can delete the line #include “pch.h” and remove the file from the project

Before we add the headers and libraries for the Excel SDK will start coding the dropper But first create a new excel file that will be used to trick the company employee Examble for simple invoice :

Dont use it in attacks this is just an example

Back to the visual studio and create resource items the visual studio will automatically generate 2 files resource.h , resource.rc open the resource header add the 4 four defines

#define EXCEL_FILE 105
#define EXCEL_INVOICE 106

#define EXE_FILE 107
#define PAYLOAD_FILE 108

For more information click here

Varshini

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Kali Linux 2024.4 Released, What’s New?

Kali Linux 2024.4, the final release of 2024, brings a wide range of updates and…

4 hours ago

Lifetime-Amsi-EtwPatch : Disabling PowerShell’s AMSI And ETW Protections

This Go program applies a lifetime patch to PowerShell to disable ETW (Event Tracing for…

4 hours ago

GPOHunter – Active Directory Group Policy Security Analyzer

GPOHunter is a comprehensive tool designed to analyze and identify security misconfigurations in Active Directory…

2 days ago

2024 MITRE ATT&CK Evaluation Results – Cynet Became a Leader With 100% Detection & Protection

Across small-to-medium enterprises (SMEs) and managed service providers (MSPs), the top priority for cybersecurity leaders…

5 days ago

SecHub : Streamlining Security Across Software Development Lifecycles

The free and open-source security platform SecHub, provides a central API to test software with…

1 week ago

Hawker : The Comprehensive OSINT Toolkit For Cybersecurity Professionals

Don't worry if there are any bugs in the tool, we will try to fix…

1 week ago