December 6, 2023

Building successful macro attacks means getting past several layers of security, but a Black Hat speaker found a way through.
Microsoft Office is no stranger to vulnerabilities and exploits.

Most of those vulnerabilities led from Microsoft Office to Microsoft Windows, but it’s possible for an attacker to take an exploit path from Microsoft Office to macOS .

The Human Error

In most of the macro-based attacks, human intervention on the part of the victim is required at least once, and usually twice, Wardle said. First, the victim must click on an email attachment or malicious link in order to download and open the infected document. Next, in most cases macros will not run on a system by default — they must be given explicit permission to run by the user.

Most macro-based attacks have two stages, Wardle explained. In the first — the stage given explicit permission to run by the victim — code executes that checks the system status, checks for the presence of anti-malware software, and then downloads the second stage. It’s the second stage payload that contains the “working” code of the attack, whether it’s skimming credentials, creating a bot, or encrypting the system’s data as part of a ransomware scheme.

Out of the (Sand)box

Modern malware writers have an additional hurdle to overcome. Microsoft Office now executes all macros in a “sandbox,” a walled-off environment within the operating system that prevents code from gaining persistence or interacting with the system as a whole. The goal for malware writers is breaking out of the sandbox.

Researchers found ways to include SYLK files and XLM code that make macros execute whether or not they’re invoked or allowed. They still run within the sandbox. Wardle showed that it’s possible to create files through a macro — files that can be placed outside the macro and can be built to auto execute on system boot. That combination is the key to persistence, one of the golden tickets that attackers pursue in any campaign.

What kind of files can fit the twin bill?

A ZIP file, dropped into the proper subdirectory, will be invoked automatically. While the latest macOS endpoint security framework should detect such a file’s creation, Wardle said that there’s room for research here

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d