JSSLoader utilised MS Excel add-ins to bypass security detection

JSSLoader Microsoft Excel Add-Ins Bypass Security Detection

The JSSLoader remote access trojan (RAT) propagates using Microsoft Excel add-ins during their attacks. Researchers attributed the newly discovered threat campaign to the Russian FIN7 threat group and have been actively circulating in the wild since December two years ago.

The attack campaign uses a new and more elusive variant of JSSLoader. Its threat operators utilise phishing emails loaded with [.]XLL or [.]XLM attachments as the initial vector for the attack.

Microsoft Excel displays a warning to victims regarding the consequences of accessing and activating unsigned files enclosed within unknown formats. However, if the user proceeds and enables the XLL file, the malicious code inside an xlAutoOpen function will insert itself into the targeted memory.

It will then download a payload from a remote server and operate it as a new process through an API call. The researchers also noted that the latest version of JSSLoader has an identical operation process to its previous version.


The latest JSSLoader variant includes new layers of obfuscation mechanism to hide from any examination and study by cybersecurity researchers.


The threat actors operating the variant also constantly refresh the User-Agent on their XLL files to bypass the EDR, which mixes all detection information from the whole network of organisations.

In addition, the newest variant employs a string obfuscation, which includes the renaming of all variables and functions of the JSSLoader. This version must split the strings into substrings and utilise them together in a chain at runtime to avoid string-based YARA rules operated by standard security solutions.

Lastly, the decoding function of the string leaves small traces of the loader, which limits the chances of getting tracked by static threat scanners.

Using the XLL file delivery to distribute the latest variant of the JSSLoader remote access trojan is an intelligent attempt of the threat actors to bypass security defences. The XLL file also lets Russian threat group members target a network silently for an extended period.

Organisations should employ intelligent intrusion prevention systems as a part of their security and protection strategy to mitigate the damages posed by such threats.

About the author

Leave a Reply