Cyber security

XLL Dropper – Mastering A Red Team’s Ultimate Weapon

Write XLL Dropper in c++ , a red teams most used dropper , learn how to be like a red teams and APT groups by building your XLL Dropper

Before we dig deeper, what is the Hack Dropper, and what the Hack is the XLL Dropper what are the differences and when to use it and why to use it and not use an exe dropper

What The Hack Is Dropper

A Dropper is like a delivery vehicle that has a payload to drop when it arrives at the target location! We can take an example of Amazon delivery autopilot drones which carry multiple payloads and when they arrive at a location it drop,

The payload on the door of the house Same for the Dropper in malware the dropper can carry 1 payload or more for example an old Dropper may carry 1 video or photo and 1 rat and the hacker can create an icon from the image that the dropper carries and change

The icon of the exe to the new icon and spoof the extension of the exe to be dropper.png.exe and because windows default settings will not show the extension it will appear like this dropper.png

The correct extension will be hidden When the hacker sends it to the target and the target clicks on it in 1 click it will drop the image and run it and will drop the RAT and run it in 1 click the will fool the target he clicking on

The image because see they image show up in his windows But what he did not know was that the image may maybe in the temp folder

What Is The Hack Is XLL Dropper And How Does It Work

Xll is a file extension or plugin for excel files xll files are similar to dlls they are the same but the xll is not a normal executable file,

It is a plugin for excel files for example you can write a plugin for excel files and in the plugin, you can add functions to calculate or add a formula for you and in excel you can import the plugin or xll file and start using the functions that you create in the plugins.

There is 1 more difference between the dll and xll files in dll you can not click it to launch the only way to use it without loading it using exe using loadlibraryA is by using the Rundll32.exe it but with xll, you can 1 click to launch it and use it when you click on the xll file the Excel will launch and you can start using excel with xll loaded

But to make a 1 click xll dropper work there is a very important function we will use int WINAPI xlAutoOpen(void);

The functions take no arguments , For this function to be used correctly we need to export it from the xll file so the excel can use it and to make the xll file valid xll or the xll file will not opened using excel and will show an error

How The Xll Dropper Works

Same as the exe dropper but these days exe files and extension spoofing are very detected So as a solution Hackers and developers start using XLL files,

To deliver their payload because Excel files are widely used in companies almost every company uses Excel So how does the xll drooper work? When a target clicks an xll file the excel.exe will import the xll file and search for the function xlAutoOpen

If he finds it he triggers the function Inside the xlAutoOpen function the hacker does what a normal dropper does like dropping the excel file to the temp directory to fool the employee and drop the Rat and starting them both

The target will see the excel file show up on his window so and the Rat will run in the background so no suspicious

When to use Xll Dropper and when to use Exe Dropper? So what to use? it depends on what are you targeting Of course not all the targets will have excel installed so does the xll dropper worse The answer is yes if you are targeting a youtube channel , company employee You can use the xll dropper but if you are targeting random people you can use only Dropper as a PDF dropper by spoofing the extension and doing some icon changes which I don’t recommend

Now there are a few tools you need to download before we start coding

1 – Visual studio IDE 2 – Excel or Microsoft Office 3 – Putty to test the dropper you can use any other portable software 4 – Download Excel 2013 SDK from Microsoft.

The installation is very easy

Lets start writing the XLL Dropper by creating a new dll project

As an Option You can disable precompiled headers you can do that by opening the project properties C/C++ Precompiled headers Precompiled headers change use /Yu to not using precompiled headers

Now you can delete the line #include “pch.h” and remove the file from the project

Before we add the headers and libraries for the Excel SDK will start coding the dropper But first create a new excel file that will be used to trick the company employee Examble for simple invoice :

Dont use it in attacks this is just an example

Back to the visual studio and create resource items the visual studio will automatically generate 2 files resource.h , resource.rc open the resource header add the 4 four defines

#define EXCEL_FILE 105
#define EXCEL_INVOICE 106

#define EXE_FILE 107
#define PAYLOAD_FILE 108

For more information click here

Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.

Recent Posts

Shadow-rs : Harnessing Rust’s Power For Kernel-Level Security Research

shadow-rs is a Windows kernel rootkit written in Rust, demonstrating advanced techniques for kernel manipulation…

2 weeks ago

ExecutePeFromPngViaLNK – Advanced Execution Of Embedded PE Files via PNG And LNK

Extract and execute a PE embedded within a PNG file using an LNK file. The…

3 weeks ago

Red Team Certification – A Comprehensive Guide To Advancing In Cybersecurity Operations

Embark on the journey of becoming a certified Red Team professional with our definitive guide.…

3 weeks ago

CVE-2024-5836 / CVE-2024-6778 : Chromium Sandbox Escape via Extension Exploits

This repository contains proof of concept exploits for CVE-2024-5836 and CVE-2024-6778, which are vulnerabilities within…

4 weeks ago

Rust BOFs – Unlocking New Potentials In Cobalt Strike

This took me like 4 days (+2 days for an update), but I got it…

4 weeks ago

MaLDAPtive – Pioneering LDAP SearchFilter Parsing And Security Framework

MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection. Its foundation is…

4 weeks ago