Microsoft Workplace paperwork are used worldwide by each companies and residential customers. Its completely different workplace variations, whether or not licensed or unlicensed, provide customers a straightforward option to create and modify recordsdata. Nevertheless, this software program can be prone to cyberattacks.

Cyber ​​criminals typically make the most of their vulnerability and use VBA (Visible Primary Utility) macros as entry factors to realize entry to focus on methods and units.

Through the years, VBA macros have been a pervasive menace to Workplace paperwork with their potential to unfold malware. And that is why Microsoft lastly determined to dam VBA macros for recordsdata which have the ‘mark of the online’ (MOTW) tag. With this alteration, every time customers open a file downloaded from the Web, similar to e mail attachments which have macros, the next message will likely be displayed:

Determine 1. Safety threat warning

In consequence, attackers are actually pressured to consider alternative routes to achieve their victims. And that is the place Microsoft plugins come into the image.

What are Microsoft Add-ons?

An add-on is a software program program that extends the capabilities of the principle packages. It’s a time period generally utilized by Microsoft and different platforms which have extra options that may be added to the principle packages. Workplace Add-ins are DLL recordsdata which have completely different extensions relying on the appliance. Microsoft Excel and Phrase have plugins with the file extensions, ‘.xll’ and ‘.wll’ respectively.

For the phrase, the ‘.wll’ The add-in should be positioned in a particular location, specified by the HKCUSoftwareMicrosoftOffice16.0WordSecurityTrusted Areas registry worth, relying on the model of Workplace. This can make sure that ‘.wll’ the add-in runs by the Phrase software.

For Excel add-ins, so long as ‘.xll’ the file is uploaded, it should open with an Excel software.

Malicious XLL recordsdata

Many menace actors have began utilizing XLL recordsdata as their preliminary vector. These recordsdata are largely shared as an e mail attachment. It’s related to an icon much like one other Excel-compatible file, making it troublesome for finish customers to differentiate between the unique Excel file and an add-in file.

Determine 2. Malicious DLL with .XLL extension

When opening such recordsdata, Excel will show a warning in regards to the malicious code it accommodates.

Fig.3. MS Workplace Warning for Plugin

It’s potential for a “.dll” (dynamic hyperlink library) file to be renamed as a “.xll” (Excel Add-in) and is used for malicious functions. The distinction between a standard DLL file and an XLL file is that XLLs can have sure exported capabilities that will likely be known as by the Excel Add-in supervisor if activated by the Excel software. When Excel begins the XLL file, it should name the export capabilities primarily based on the XLL interface outlined as xlAutoOpen and xlAutoClose much like the strategies auto_open and automotive closed in VBA macros. These capabilities can be utilized to add malicious code and obtain the malware payload.

Technical evaluation:

It begins with a file known as “BankStatement-1674745402.xll”, which is a 64-bit DLL file. This file accommodates an export operate with the title “xlAutoOpen” as proven in determine 4.

Determine-4. DLL export operate

We’ve got run this DLL file explicitly utilizing “rundll32.exe” with the parameters,

“C:WindowsSysWOW64rundll32.exe C:UsersuserDesktop9009859256BankStatement-1674745402.xll, xlAutoOpen”.

In determine 5, we will see the execution circulate of the method.

Determine-5. Execution Course of Circulate

The export operate has code (proven in Determine 6) that makes use of the strcat operate to generate completely different strings which have hyperlinks and instructions for execution. The next operate creates a hyperlink “http[:]//160[.]119[.]253[.]36/filesetup_v17.3.4.zip” and check out connecting to this hyperlink to obtain the zip file and put it aside as a “myphotos.zip”.

Determine-6. Code for hyperlink era and connection

After this, PowerShell is used to unzip this zip file to %Temp% folder with beneath talked about command,

“powershell.exe Broaden-Archive –Path “C:UsersuserAppDataLocalTempmypictures.zip” -DestinationPath “C:UsersuserAppDataLocalTemp””

After unzipping we get “configuration_file_v17.3.4” named folder within the %Temp% folder that has the “Assets” folder and “configuration_file_v17.3.4.jpg” file inside.

Determine-7. configuration_file_v17.3.4 folder in Temp

The sources folder has a number of XML recordsdata that include dummy information. The attackers put that information on function to make evaluation exhausting. He “configuration_file_v17.3.4.jpg” just isn’t a picture file format file. It’s nothing greater than a 32-bit PE file written in .NET language and appears like an installer for the Inno configuration module.

An Inno Setup is a well-liked free set up framework used to create installers for Home windows functions. It gives a scripting language that enables builders to customise the set up course of, together with creating shortcuts, registry entries, and different system settings.

Determine-8. “configuration_file_v17.3.4.jpg” file data in Die software

This .NET file has 213 strategies (proven in Determine 9) which can be closely obfuscated. We will de-obfuscate utilizing de4dot obfuscators To keep away from inverting a .NET software, the creator has carried out a number of strategies to make it tougher for any researcher to grasp the code and logic of the appliance.

Determine-9. “.NET Methodology Depend”

This “configuration_file_v17.3.4.jpg” file executed utilizing beneath talked about command,

“cmd.exe /c begin C:UsersuserAppDataLocalTempfilesetup_v17.3.4filesetup_v17.3.4.jpg”

This file makes use of some anti-debugging methods at the beginning of execution that are talked about beneath,

1. OllyDbg is a well-liked debugging software that can be utilized to investigate and modify working packages, together with .NET functions. One method to detect and forestall debugging utilizing OllyDbg is to verify for the presence of a particular string related to the debugger.

Determine-10. OLLDBG Instrument Examine

2. Checking the debugger log, which is used to find out if a debugger is hooked up to the method and take acceptable motion if one is discovered.

Determine-11. Debugger log verify

3. The IsDebuggerPresent operate is used to detect if a debugger is hooked up to the method or not.

4. The CheckRemoteDebuggerPresent operate is used to detect whether or not a debugger is linked to the present course of or a distant course of or not.

Determine-12. IsDebuggerPresent and CheckRemoteDebuggerPresent capabilities

Racoon Stealer V2 is a sort of malware designed to steal confidential data from contaminated methods. It’s able to stealing numerous varieties of recordsdata together with .ttf and .xml recordsdata and storing them on the contaminated system. Nevertheless, if the CNC (command and management) server is down, the malware could not be capable to ship the stolen data to the server for exfiltration.

On this situation, the stolen .ttf and .xml recordsdata can stay on the contaminated system till the CNC server turns into accessible. This could doubtlessly expose delicate data to the attacker, since they’ll nonetheless entry the stolen recordsdata on the compromised system.

Quick Therapeutic Safety:

Fast Heal Safety Labs have been actively searching for all these recordsdata to make sure that all Fast Heal clients are protected with the next detections.

• Downldr.XllfmAgent.S29349494
• Downldr.XllDanot.S29357788
• Trojan.GenericRl.S24740760
• Trojan.RacoonStealerCiR

Conclusion:

In conclusion, Microsoft plugins can current a possible menace vector for malware like Raccoon Stealer V2. Most of these malware are designed to steal delicate data from contaminated methods and use Microsoft plug-ins as a way to ship the malware to focus on methods. To mitigate this threat, organizations ought to implement finest practices for endpoint safety, similar to preserving software program updated, implementing sturdy antivirus and antimalware options, enabling firewalls and different community safety measures, and educating customers. on steps to establish and keep away from social engineering assaults. By taking these steps, organizations can considerably cut back the danger of malware assaults and information theft through Microsoft plug-ins and different potential assault vectors.

IOC:

IP:

160.119.253.242

160.119.253.36

45.93.201.114

URL:

http[:]//160[.]119[.]253[.]36/filesetup_v17.3.4.zip

Malicious DLL file:

ab06eca36c9e011a149ea1625b8ad3629907b2a418ce10fe039870a3d9928bb0

9a652f77b9fba07d04e4021d3f533791bdedf4284fbbc007b4c55fea94a46635

6f74060f131c9034f55349cdeb2b5ebbd73582e6ac9da11c9310892bfdfeba36

5dfa56596b133d080b770e11783b1763da445dc2fef57fe060c87e7b73012308

2d9e90155343ba8f8f8e16c80b1dc62227f607c2ba277491c6f8f384bf5e0499

16522212c1b951ffab57e8f8fa288295cca5d9600e83b74551601246841cae91

0ec2bb5aad17efc7e1e1d8371b04684957684fec8e73df62bd41320bbf517b13

4da00e7d529be457c914b085d66f012c070bf6e3f85675303aa41a7689c08c75

Malicious ZIP file:

59d2403b99c95a057e43dd25e3d58b66331d130b52c19d2919e7966023ede5f6

Expert:

Anjali Raut, Akshay Gaikwad