A couple of days ago i have come across a peculiar behaviour involving Office macros. You are probably familiar with the “Enable Content” warning whenever you open a document containing a macro. In order to avoid asking the end-user for permission every time he opens the same document, the warning is disabled (i.e. Office remembers that you allowed the execution). It was my understanding that this “remembering” was inherent to the document (e.g. hash) but according to some black-box testing, it is not. Office remembers that you opened a file with name “x.doc” from the path “C:/…/…/…/x.doc” and authorised the execution of macros. As such, we can replace the trusted document with a malicious one and the check is bypassed. For demonstration purposes, i will assume Word documents.
You can simulate this with the following experiment:
- Create two documents (assuming Word): macro.doc(m) and evilmacro.doc(m) on the same folder. Both docs must have different macros (e.g. one spawns cmd.exe while other spawns mspaint.exe). The doc vs docm extension depends on the Office version you use.
- Open the macro.doc(m) and accept the execution of the macros
- Delete the file macro.doc(m) and rename evilmacro.doc(m) to macro.doc(m)
- Open evilmacro.doc(m) (now macro.doc(m))
You should observe the execution of the macros within evilmacro.doc(m) without any warnings. Another observation you can draw by testing is that Office remembers the decision as long as the file is there. It tests whether the macro-enabled files that you previously decided to authorise are still present. If they are not, the “cache” is cleaned. You can test this using the following procedure:
- Open macro.doc(m) and allow macro execution
- Close Word and delete macro.doc(m) (while saving it somewhere else)
- Open Word, put macro.doc(m) back on the same folder and open it through Word
Word will now show the “Enable Content” warning again. I am uncertain whether the “cache” is cleaned from time to time but it seems that is persists across boots.
While opening documents sent through email is in general a bad idea, everyone expects the software to let us know that there is something to look out for (e.g. macros). Let us see how we can leverage this finding to improve the odds of compromise.
Current Approach for Infections Using Malicious Documents
Typically, attackers leveraging malicious Office documents for infections take the following steps:
- Send email with seemingly legitimate source (e.g. yahoo[.]com[.]evil) or spoofed (e.g. google[.]com)
- Craft subject, body and attachments of the email in a way that persuades victims into opening the attachments
- Victim opens attachment and authorises the execution of macros. Attachments tend to have content that persuades victims into clicking the “Enable Content” button
Truth is, if the victim is gullible enough to reach the last step, then it is highly likely that he will execute the macros. However, notice that the attacker is able to control every step but not the macro warnings.
In order to leverage this simple bypass, the following conditions must be met:
- victim opens legitimate document macro.doc(m) and authorises the execution of macros
- victim downloads another macro.doc(m) with malicious macros and overwrites the previous macro.doc(m)
- victim opens macro.doc(m) and the macros execute without warning
From an attacker’s perspective, he must know:
- the name of a document containing macros that the victim downloaded
- the victim authorised the execution of the macros embedded in the legitimate document
- the victim will download the attacker’s version of the aforementioned file and overwrite it while keeping the same name
- the victim will open the document again
Too man assumptions? Seems unrealistic? Let us see:
- The first condition can be easily met if the attacker is an insider threat (e.g. employee knows every co-worker receives a macro-enabled document every month with a template name such as [MONTH]_EVENTS.doc) or if the attacker was able to compromise en email account and found legitimate emails containing macro-enabled documents
- Requirement met for insider threat but not guaranteed for compromised email. However, if the email was read and not deleted from the inbox, the probability of download and access increases. Also, assuming a read-once document (e.g. event announcement), the victim will likely download it to a default folder (e.g. Downloads) and keep the it there until The Judgement Day or low disk capacity warnings, whichever comes first
- Once more, assuming a read-once, the victim will likely save both the original and the malicious on a default folder (e.g. Downloads) and open it from the browser. Being laziness common, he will likely overwrite the document to avoid giving a different name or having a duplicate. This is mostly true if the malicious email and the old email have a context that justifies the similarity of attachments’ names.
If the victim reached the last step, well, you know the rest.
While i am not a big fan of theoretic attacks and attack models, my academic side was able to persuade me into writing this post. With the current compromise strategy leveraging malicious Office documents, the attacker may be stopped by an Office warning. Leveraging this bypass and a couple of reasonable assumptions, the chances of infecting an end-user improve. In the end, it is all about increasing the odds. Food for thought paranoids, food for thought…
Stay safe 😉