Info-stealing RedLine malware distributed via Excel XLL files

BleepingComputer reports that numerous websites are being targeted by a widespread contact form and discussion forum spamming campaign involving the distribution of malicious Excel XLL files that facilitate the installation of the information-stealing RedLine malware. Aside from exfiltrating web browser-stored usernames and passwords, cookies, and credit cards, the RedLine trojan could also steal FTP credentials and files. The malware also has command execution, screenshot creation, and malware downloading and execution capabilities. Attackers have been leveraging various lures in spreading RedLine, including advertising requests and gift guides, while some lures involved the creation of fraudulent websites for hosting the malicious Excel XLL file. Performing manual execution of the DLL using the 'rundll32 name.xll, xlAutoOpen' or regsvr32.exe commands will prompt the extraction of the wget.exe program to the %UserProfile% folder, which will then allow remote installation of the RedLine binary. The RedLine info-stealer will also be automatically launched by a Registry autorun entry when users log into Windows, enabling the theft of sensitive data stored in web browsers.