Security researchers brought to life and released a wicked variant of Clippy, the recently resurfaced assistant in Microsoft Office that we all loved so much to hate, that makes it more difficult to detect a malicious macro in documents.
Dubbed Evil Clippy, the tool modifies Office documents at file format level to spew out malicious versions that get by the static analysis of antivirus engines and even utilities for manual inspection of macro scripts.
To do this, it takes advantage of undocumented features, unclear specifications, and deviations from intended implementations.
Macros are snippets of VBA (Visual Basic for Applications) code that automate tasks in Microsoft Office applications. They are constantly used to deliver malware when the user opens a document.
Exploiting MS Office behavior
Researchers at Dutch security testing company Outflank developed Evil Clippy for professionals running red team attacks against a client organization. The tool runs on Windows, macOS, and Linux.
The tool can be used with documents formats for Microsoft Office 97 - 2003 (.DOC and .XLS), and 2007 and above (.DOCM and .XLSM, which are basically ZIP containers and come with macros enabled). All these file types use the Compound File Binary Format (CFBF) and Outflank's program modifies it using the OpenMCDF library.
One technique Evil Clippy uses to generate a maldoc is "VBA stomping," a method detailed by Walmart's security team, by which the original code of the VBA script can be replaced by a compiled version for the VBA engine called pseudo-code, or p-code in short.
Infosec expert Vesselin Bontchev detailed publicly that VBA scripts can execute at runtime in three forms, with p-code being the most popular.
A compressed version of the macro source code exists in Office files for compatibility reasons. But as long as the same version of the VBA engine used to create the script exists in the Office application that opens it, the p-code is executed and the source code can even be missing.
"In fact, even when you open the source of a macro module in the VBA editor, what is displayed is not the decompressed source code but the p-code decompiled into source," Bontchev explains.
Outflank researchers explain in a technical description of the tool that common VBA analysis tools (OleVBA, OleDump, or VirusTotal) focus on the source code. If only p-code is present, they will not even detect the presence of a macro script.
Evading detection, hindering analysisWhat Evil Clippy does to outsmart them is to replace the macro source code in a document with a fake script that does not trigger an alert. The malicious p-code, though, gets executed when opening the modified Office file.
A test on a file regularly detected by more than 30 antivirus engines is able to bypass most of them after Evil Clippy applies its magic.
As a small caveat, an attacker needs to know the version of the Microsoft Office on the target machine. This is a small problem in a targeted attack where a reconnaissance is the first stage of the operation.
Moreover, Evil Clippy offers a solution through via a maldoc stored on a remote server that recognizes the Office version a victim uses to retrieve the maldoc and immediately applies a patch to ensure compatibility. The information is present in the HTTP header:
Another snag is that the VBA engine reconstructs the macro source after running the p-code, to show it in the built-in editor. Evil Clippy's trick for this is to modify the document's configuration file that contains the properties of the VBA project. An alternative is to mark the project as locked and forbid access to the macro code.
An extra method is to confuse security tools that look at the file format level. Bontchev's "pcodedmp" utility that extracts the p-code; to hinder analysis, Evil Clippy uses random ASCII for module names in the VBA project, which crash the analysis tools with a "file not found" error.
Maldocs are an irresistible lure
Because of increased abuse of macros, Microsoft has them disabled by default across its Office suite. The feature brings immense benefits so it can be enabled when users decide to trust the source of the document.
This measure did not eradicate malicious use and only led to cybercriminals developing social engineering skills to lure victims into turning on macros and download malware.
Threat actors of all levels and ranks continue to use this feature with various degrees of success. A well-crafted email promoting a tempting document embedded with a malicious macro is a good trap for unsuspecting victims.
The method has been seen with Trickbot and Emotet. Cyber-espionage groups like DarkHydrus and the infamous Fancy Bear (a.k.a. APT28, APT28) also rely on this technique to compromise their targets.
Outflank released Evil Clippy at BlackHat Asia in March and
its source code is publicly available. It can also be downloaded in
binary format.
source
