Ukraine Warns of Weaponized XLL Files Delivers CABINETRAT Malware Via Zip Files
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Ukrainian security agencies have issued an urgent warning regarding a sophisticated malware campaign targeting government and critical infrastructure sectors through weaponized XLL files distributed via compressed archives.<\/p>\n
The malicious campaign leverages Microsoft Excel<\/a> add-in files containing the CABINETRAT backdoor, representing a significant evolution in targeted cyber operations against Ukrainian entities.<\/p>\n The attack methodology involves distributing zip archives containing XLL files with names designed to evoke urgency and legitimacy, such as \u201cdodatok.xll\u201d embedded within \u201c500.zip\u201d archives.<\/p>\n These files masquerade as documents relating to border security incidents, exploiting current geopolitical tensions to increase victim susceptibility.<\/p>\n Upon execution, the malicious XLL files deploy a complex multi-stage payload that establishes persistent access to compromised systems.<\/p>\n CERT-UA researchers noted<\/a> the campaign\u2019s sophisticated approach, identifying it as the work of threat group UAC-0245.<\/p>\n The malware demonstrates advanced evasion<\/a> capabilities and represents a concerning shift toward more sophisticated Office-based attack vectors targeting Ukrainian critical infrastructure.<\/p>\n The campaign\u2019s technical complexity and targeting patterns suggest state-sponsored origins with significant resources dedicated to bypassing modern security defenses.<\/p>\n The CABINETRAT malware employs a sophisticated multi-file deployment strategy that ensures persistent system access while evading detection mechanisms.<\/p>\n When the initial XLL file executes through Excel\u2019s xlAutoOpen function, it creates three distinct components across the victim system: a randomly named executable file with 15-20 characters (internally called \u201crunner.exe\u201d) placed in both the Startup folder and %APPDATA%MicrosoftOffice, an XLL loader file \u201cBasicExcelMath.xll\u201d positioned in Excel\u2019s XLSTART directory, and a PNG image file \u201cOffice.png\u201d containing embedded shellcode.<\/p>\n The persistence mechanism operates through multiple redundant pathways to ensure continued system access.<\/p>\n The malware creates registry entries in the Windows Run<\/a> key with randomized names, establishes scheduled tasks executing every 12 hours with limited privileges, and leverages Excel\u2019s automatic add-in loading functionality.<\/p>\n The runner executable launches Excel in hidden mode using the \u201c\/embed\u201d parameter, automatically triggering the malicious BasicExcelMath.xll add-in without displaying visible Excel windows to users.<\/p>\n The complete infection chain from initial XLL execution through final CABINETRAT deployment.<\/p>\n The malware incorporates extensive anti-analysis measures including BIOS fingerprinting checks for virtualization software signatures, processor core and memory threshold validation, CPUID timing analysis to detect sandboxed environments, and PEB debugging flag verification.<\/p>\n These sophisticated evasion techniques demonstrate the campaign\u2019s advanced nature and dedication to avoiding security research efforts.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Ukraine Warns of Weaponized XLL Files Delivers CABINETRAT Malware Via Zip Files<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nInfection Mechanism and Persistence Strategy<\/strong><\/h2>\n