{
	"id": "cfe94e82-fd55-4e87-b0e7-974800215462",
	"created_at": "2026-04-06T00:22:26.566181Z",
	"updated_at": "2026-04-10T03:21:08.743431Z",
	"deleted_at": null,
	"sha1_hash": "725309a361cf4f7c69f9864d91ba6bc3dbef9984",
	"title": "Signed, Sealed, and Delivered – Signed XLL File Delivers Buer Loader | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1708246,
	"plain_text": "Signed, Sealed, and Delivered – Signed XLL File Delivers Buer\r\nLoader | FortiGuard Labs\r\nPublished: 2021-07-19 · Archived: 2026-04-05 19:10:09 UTC\r\nFortiGuard Labs has discovered a malicious spam campaign that uses the names of two well-known corporate\r\nentities as a social engineering lure to trick a target into opening a maliciously crafted Microsoft Excel document.\r\nWhen opened, the document contacts a remote server that downloads a malicious payload from a predefined\r\nwebsite. What makes this campaign different from similar malicious spam campaigns is the use of a signed\r\nMicrosoft Excel file with an .XLL file extension, rather than the standard .XLS file extension. \r\nIn this blog, we will examine details of this attack as well as the infrastructure they used. The reader will see the\r\nmulti-step process used to ensure that the target would be infected, including evasive steps to bypass detection\r\ntechnologies via the .XLL file extension and the use of a valid signed digital certificate.\r\nAffected Platforms:  Windows\r\nImpacted Users:      Any organization or individual\r\nImpact:                     Remote attackers gain control of the vulnerable systems\r\nSeverity Level:        Moderate\r\nWhat is an XLL File Extension?\r\nAn XLL file extension is used by Excel Add-in files to allow third party applications to add extra functionality to\r\nExcel. XLL files are similar in structure to DLL files. They allow for calls of specific Excel commands, worksheet\r\nfunctions from Visual Basic (VBA), registered XLL commands, and from functions referenced in Excel. The use\r\nof XLL files is not as common as a maliciously crafted XLS file that contain macros or exploits, so it is a rarely\r\nobserved evasion tactic used by threat actors to bypass endpoint detection.\r\nComplicating things even further, the malicious XLL file used in this campaign (at the time of analysis) is signed\r\nwith a valid digital signature and chained accordingly. Signed malware containing valid digital certificates are\r\nused by threat actors to evade detection as they are trusted by antivirus and other endpoint security software.\r\nBecause a company or organization is vetted by a certificate authority (CA) before the issuance of a digital\r\ncertificate, operating systems and anti-virus software treat files signed with these certificates as clean, which\r\nultimately allows the signed file to operate with impunity. \r\nAnd finally, when run, the maliciously crafted Excel file connects to a predetermined server to download the\r\npayload, which in this case is Buer Loader.\r\nCampaign Details\r\nThe modus operandi of these attackers is spam email. Based on our observations, these attacks do not appear to be\r\ntargeted, but instead appear to be blanketed campaigns looking for low hanging fruit—i.e., anyone willing to open\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 1 of 14\n\nthe malicious attachment.  \r\nThe email in the example below is a variant of the classic shipment courier status email, with this variation using\r\nDHL and Amazon trademarks as the lure. This specific example was sent to an individual and not to an\r\norganization, further reinforcing the idea that these campaigns are not targeted.\r\nThis malicious spam appears to be rushed or the product of non-native English speakers as there are grammatical\r\nissues—“We sincerely sorry due to inconvenience...”—which makes it less than convincing, even to the untrained\r\nobserver. \r\nFigure 1. Email sent to recipient with malicious attachment\r\n(Incidentally, the recipient of this particular email has had their email username and password posted online\r\npreviously. And according to haveibeenpwned[.]com, this email address has also been exposed in four separate\r\nbreaches.)\r\nContained within the email is an attachment with the file name “Detailed Invoice.xll.” Looking at the attachment\r\nwe can see that it is digitally signed and chains appropriately. The digital signature is assigned to HORUM, with a\r\nreference email address of admin[@]khorum[.]ru:\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 2 of 14\n\nFigure 2. Digital Signature Details\r\nThe certificate appears to be valid until 3/24/2022:\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 3 of 14\n\nFigure 3. Certificate Details\r\nVisiting the website directly offers no further details as to what entity is behind this campaign:\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 4 of 14\n\nFigure 4. Khorum.ru showing empty directory\r\nSame with the WHOIS information:\r\nFigure 5. Korum.ru WHOIS details\r\nThe Infection Chain\r\nWhen the user opens the XLL file, the Excel file triggers on xlAutoOpen in a similar fashion to a macro. The\r\nfollowing image shows the export name is the same.\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 5 of 14\n\nFigure 6. Export name same as Excel command\r\nThe export attempts to contact the following URL:\r\nhxxp://dmequest[.]com/dme/images/portfolio/products/1/csrsc.exe hosted on 68[.]67.75.66.\r\nAnalysis reveals that the IP address serving the executable file belongs to a webhosting reseller in Florida in the\r\nUnited States. Further analysis shows that this is most likely a compromised server and, based on experience, it is\r\nprobably controlled by affiliates of the bad actors or the bad actors themselves. \r\nTaking a deeper inspection of the server we see that it contains an open directory that is public. In the folder where\r\ncsrsc.exe resides, a directory timestamp appears to have been changed to look like it is one of the original files\r\nfrom 2016. However, analysis revealed that the csrsc.exe file was actually compiled in 2021. \r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 6 of 14\n\nFigure 7. Readable directory\r\nThe directory also contains several other files from June 2021 that may be from a different campaign. We have\r\nalso observed older campaigns over the past several years being downloaded from this same IP address. Some of\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 7 of 14\n\nthese campaigns involve serving fake data recovery software as well as PayPal themed phishing sites. However, it\r\nis difficult to determine if these attackers are all related, or if this is simply a leased server used by multiple threat\r\nactors.\r\nA passive DNS entry of domains that resolved to this IP address highlights a variety of businesses entities, but\r\noverall, they appear to be a random collection of websites of customers belonging to the webhosting reseller.\r\nOnce the XLL file finishes downloading csrsc.exe, the downloaded file is saved as:\r\n %PUBLIC%\\srtherhaeth[.]eXe\r\nFurther Insight into srtherhaeth.exe\r\nThe downloaded file is Buer Loader. First discovered in 2019, Buer Loader is Malware-as-a-Service that was first\r\nused by threat actors to deliver banking Trojans and various other malware. As it gained popularity it was later\r\nadopted by Ryuk threat actors to help establish an initial foothold on targeted networks. Once this foothold was\r\nestablished, the infamous Ryuk ransomware was then deployed. Buer Loader has evolved since then and the\r\nfollowing provides further insight into this latest version.\r\nAnalysis of srtherhaeth.exe reveals what is likely an invalid or expired signature, and because of this it did not\r\nchain appropriately and could not be verified as a legitimate certificate.\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 8 of 14\n\nFigure 8. Invalid Digital Signature\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 9 of 14\n\nFigure 9. Invalid Certificate\r\nFurther examination of the file revealed the following:\r\n    File Version Information\r\n        Copyright Cistae\r\n        Description Weenong\r\n        Original Name Detrition\r\n        Internal Name Phytoflagellata\r\n        File Version 0, 1, 3, 1\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 10 of 14\n\nComments Nonrival\r\n        Date signed 2010-09-08 00:04:00\r\nRUST Crates and Toolchains \r\nsrtherhaeth.eXe is almost 2 MB. In the world of malware, files in this size range are not common. This is a newer\r\nvariant of Buer loader that has been completely rewritten, as first pointed out by ProofPoint in May of 2021. A\r\ndeeper dive reveals that it was written in RUST and uses RUST crates/libraries, which explains the file size\r\nanomaly versus traditional malware.\r\nConsistent with the latest version of Buer Loader, this version was observed incorporating the whoami\r\n(https://github.com/libcala/whoami) RUST crate, which allows for details such as current user info including\r\nusername, full name, preferred language, OS name/version, and environment it is located in. The version used is\r\nwhoami-1.1.1, which was released on 2021-03-13\r\n(https://github.com/libcala/whoami/blob/main/CHANGELOG.md)\r\nOne interesting component of RUST are toolchains. In layman’s terms, RUST toolchains are collections of\r\nprograms along with multiple dependencies needed to compile a RUST application.\r\nRUST toolchains observed used so far by Buer were:\r\nureq 2.0.2 \r\nA minimal HTTP request library\r\nminreq \r\nA simple, minimal-dependency HTTP client with less features than ureq. \r\nA user-agent string of “something/1.0.0”\r\nRing\r\nAccording to the official site, Ring is a safe, fast, small crypto focused on general-purpose cryptography. It\r\nuses RUST with BoringSSL's cryptography primitives.\r\nFinally, the file receives additional instructions from its command and control (C2) server: \r\nhxxps://shipmentofficedepot[.]com (195[.]123.234.11).\r\nInsight into C2 shipmentofficedepot[.]com. (195[.]123.234.11)\r\nDetailed analysis over a 30-day period revealed a large majority of connections from US-based victims (66%),\r\nfollowed, interestingly enough, by Mozambique (22%), Singapore (5%), and other countries at (1% or less). \r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 11 of 14\n\nFigure 10. All traffic to 195[.]123.234.11 over a 30-day period\r\nA cursory review of our telemetry indicates that over 1/3 of the traffic occurred over port 22 (SSH/SFTP). Almost\r\nall of these port 22 connections originate from a reportedly compromised server. Since this is a shared server\r\nhosting multiple websites, this information indicates that the provider may not mind hosting malicious websites.\r\nConclusion\r\nWhile the use of malicious XLL files is not new, it is rarely used. But couple that with the fact that a valid digital\r\nsignature was used (at the time of the attack) and the level of sophistication and resourcefulness of these attackers\r\nincreases in the minds of threat researchers. Even though the email lure used was basic, this may only indicate that\r\nthe group behind this campaign was simply testing the effectiveness of their techniques. \r\nHowever, the techniques used in this campaign are harder to spot than the average attack. The examples in this\r\nblog highlight a carefully thought-out campaign by the attacker, who took the needed time and steps to ensure that\r\ntheir work would not be detected before infection. Thankfully, Fortinet customers running the latest definition sets\r\nare already protected against this campaign. \r\nFortinet Protections\r\nFortiGuard Labs has AV coverage for the samples mentioned in this blog as:\r\nW32/Agent.ADBL!tr\r\nW32/Buerak.TO!tr.dldr\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 12 of 14\n\nW32/Kryptik.HLHY!tr\r\nW32/PossibleThreat\r\nAll known network IOCs are blocked by the WebFiltering client.\r\nAll known IOCs are blocked by FortiEDR’s advanced real-time protection and have already been added to our\r\ncloud intelligence to prevent further execution on customer systems.\r\nFortiMail, powered by threat intelligence from FortiGuard Labs, can detect and block phishing attacks and\r\nremove or neutralize malicious attachments \r\nFortinet’s Phishing Simulation Service, FortiPhish, can also be used to proactively test the susceptibility of your\r\norganization to these kinds of phishing attacks.\r\nWe also suggest that our readers go through Fortinet’s free NSE Training: NSE 1—Information Security\r\nAwareness, which has a module on Internet threats designed to help end users learn how to identify and protect\r\nthemselves from phishing attacks.\r\nIOCs\r\nDetailed Invoice.xll\r\n6F9D943F88F715FF8A122D7B88AF986C1A9F38F4484E48CDE768CF22A5935EFE\r\nsrtherhaeth.eXe (Buer Loader)\r\nC28ABAAAD1B7B2C7A37F28E974E8214F07C88FEFFEF986E0A60A44AB0FA575AA\r\nPayload Download URI\r\nhxxp://dmequest[.]com/dme/images/portfolio/products/1/csrsc.exe\r\nC2\r\n195[.]123.234.11\r\nAdditional Buer Loader (contacts 195[.]123.234.11)\r\nbd734170160b363e70602626baab37a1eb93cfb2d254cf17b6ff1b5e7313b568\r\n9d1be741e3b09057cdaffb6e87d602afff496dee364767b161dfaab7e639866d\r\nMITRE ATT\u0026CK\r\nInitial Access\r\nT1566.001 – Spearphishing Attachment\r\nExecution\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 13 of 14\n\nT1204.002 – Malicious File\r\nPersistence\r\nT1547.001 – Registry Run Keys / Startup Folder\r\nDefense Evasion\r\nT1218 – Signed Binary Proxy Execution\r\nT1480.001 – Environmental Keying\r\nT1497.001 – System Checks\r\nT1553.002 – Code Signing\r\nDiscovery\r\nT1082 – System Information Discovery\r\nT1497.001 – System Checks\r\nCollection\r\nT1005 – Data from Local System\r\nCommand and Control\r\nT1071.001 – Web Protocols\r\nT1105 – Ingress Tool Transfer\r\nExfiltration\r\nT1041 – Exfiltration Over C2 channel\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nLearn more about Fortinet’s free cybersecurity training, an initiative of Fortinet’s Training Advancement Agenda\r\n(TAA), or about the Fortinet Network Security Expert program, Security Academy program, and Veterans\r\nprogram. Learn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nhttps://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader"
	],
	"report_names": [
		"signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader"
	],
	"threat_actors": [],
	"ts_created_at": 1775434946,
	"ts_updated_at": 1775791268,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/725309a361cf4f7c69f9864d91ba6bc3dbef9984.pdf",
		"text": "https://archive.orkl.eu/725309a361cf4f7c69f9864d91ba6bc3dbef9984.txt",
		"img": "https://archive.orkl.eu/725309a361cf4f7c69f9864d91ba6bc3dbef9984.jpg"
	}
}