Ukraine Warns of Weaponized XLL Files Delivers CABINETRAT Malware Via Zip Files

Ukrainian security agencies have issued an urgent warning regarding a sophisticated malware campaign targeting government and critical infrastructure sectors through weaponized XLL files distributed via compressed archives.

The malicious campaign leverages Microsoft Excel add-in files containing the CABINETRAT backdoor, representing a significant evolution in targeted cyber operations against Ukrainian entities.

The attack methodology involves distributing zip archives containing XLL files with names designed to evoke urgency and legitimacy, such as “dodatok.xll” embedded within “500.zip” archives.

These files masquerade as documents relating to border security incidents, exploiting current geopolitical tensions to increase victim susceptibility.

Upon execution, the malicious XLL files deploy a complex multi-stage payload that establishes persistent access to compromised systems.

CERT-UA researchers noted the campaign’s sophisticated approach, identifying it as the work of threat group UAC-0245.

The malware demonstrates advanced evasion capabilities and represents a concerning shift toward more sophisticated Office-based attack vectors targeting Ukrainian critical infrastructure.

The campaign’s technical complexity and targeting patterns suggest state-sponsored origins with significant resources dedicated to bypassing modern security defenses.

Infection Mechanism and Persistence Strategy

The CABINETRAT malware employs a sophisticated multi-file deployment strategy that ensures persistent system access while evading detection mechanisms.

When the initial XLL file executes through Excel’s xlAutoOpen function, it creates three distinct components across the victim system: a randomly named executable file with 15-20 characters (internally called “runner.exe”) placed in both the Startup folder and %APPDATA%\Microsoft\Office\, an XLL loader file “BasicExcelMath.xll” positioned in Excel’s XLSTART directory, and a PNG image file “Office.png” containing embedded shellcode.

The persistence mechanism operates through multiple redundant pathways to ensure continued system access.

The malware creates registry entries in the Windows Run key with randomized names, establishes scheduled tasks executing every 12 hours with limited privileges, and leverages Excel’s automatic add-in loading functionality.

The runner executable launches Excel in hidden mode using the “/embed” parameter, automatically triggering the malicious BasicExcelMath.xll add-in without displaying visible Excel windows to users.

The complete infection chain from initial XLL execution through final CABINETRAT deployment.

The malware incorporates extensive anti-analysis measures including BIOS fingerprinting checks for virtualization software signatures, processor core and memory threshold validation, CPUID timing analysis to detect sandboxed environments, and PEB debugging flag verification.

These sophisticated evasion techniques demonstrate the campaign’s advanced nature and dedication to avoiding security research efforts.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.