UPDATE
A feature in Microsoft Office’s Excel spreadsheet program called Power Query can be exploited to plant malware on remote systems. Researchers at Mimecast Threat Center say they have developed a proof-of-concept attack scenario and reported the vulnerability Thursday.
The exploitable feature in Excel, called Power Query, allows users to embed outside data sources such as external databases or web-based data into a spreadsheet. Mimecast developed a technique to launch a remote Dynamic Data Exchange (DDE) attack into an Excel spreadsheet, deliver a malicious payload and actively control the payload via Power Query.
“Power Query could also be used to launch sophisticated, hard-to-detect attacks that combine several attack surfaces. Using Power Query, attackers could embed malicious content in a separate data source, and then load the content into the spreadsheet when it is opened,” wrote Ofir Shlomo, security research team leader at Mimecast in a technical description of the proof-of-concept (PoC) attack.
Mimecast said it worked with Microsoft in its disclosure process; however Microsoft declined to release a fix. Instead, Microsoft is suggesting a workaround mitigation to fend off attacks exploiting the PoC technique. That includes a 2017 Microsoft Advisory on properly securing applications when processing Dynamic Data Exchange fields.
In a statement to Threatpost Microsoft said: “We have reviewed claims in the researchers’ report and for this technique to work, a victim would need to be socially engineered to bypass multiple security prompts prior to loading external data or executing a command from a DDE formula. A security update was released in January, 2018 for all supported editions of Microsoft Excel allowing customers to set the functionality of the DDE protocol.”
One Mimecast attack scenario starts with an adversary hosting an external webpage on a HTTP server that contains the malicious payload that will eventually be dropped into the spreadsheet. “The HTTP server listened locally on port 80 and served DDE content as a response when a request was received from the spreadsheet,” Shlomo said.
Using Microsoft Excel 2016, the target who is enticed to open the spreadsheet is prompted to request the malicious webpage hosted remotely. The request to fetch and load the third-party data is not silent, rather a user is presented with a dialogue box with the “ok” or “cancel” options and the URL is clearly shown.
If the user chooses to permit the outside data to load into the Excel spreadsheet cell, the attack begins. “To make the DDE run, the user is required to double click the cell that loads the DDE and to then click again to release it. Those operations will trigger the DDE and launch the payload that was received from the web,” the researcher wrote.
No User Interaction Required for Payload Delivery
However, researchers say in older versions of Microsoft Excel 2010 the payload is automatically executed, no user interaction needed. The command “Get External Data>> From Web” is triggered when opening the Excel spreadsheet with no “Click to run” prompt. In these requests, Excel uses the Connections.xml framework in tandem with web properties (webPR) versus database properties (dbPr). “Unlike ‘dbPr,’ ‘webPr’ [is much simpler and] does not required any user actions to run the payload,” the researcher explained.
While constructing headers for the web requests for the malicious payloads, researchers found they could bypass anti-virus and sandboxing capabilities of targeted systems when creating the PoC using Microsoft Office 2010. They did this by creating false headers.
“The anti-virus extracted the URL of the HTTP server from the file but did not parse the headers. When the AV sent a test request, the server knew this was from the AV and not the spreadsheet,” Mimecast said. “The DDE will be served only when the ‘Referer’ HTTP header is set to ‘www.google.com.’ Otherwise, the content won’t be served.”
This technique allowed researchers to avoid AV detection. A separate method was needed for avoiding sandboxing of malicious content. To do this an adversary could set the Power Query feature to “auto refresh” every minute. Next, the attacker would send the Excel spreadsheet with no payload remotely stored. That way no malicious content would be red flagged or need to be sandboxed.
Once the document was opened and saved, the attacker could then load up the external HTTP server with a malicious payload to be delivered via Power Query.
“Avoiding malicious content that could potentially mark this file as malware by forcing the file to refresh data when opening the file and removing data from the external data range before saving. Those properties ensure that the payload in the file will update when the file is opened,” the researcher wrote.
According to researchers, setting the refresh interval to one minute meant “every sandbox that executed the file in less than 10 minutes would never get [the] payload.”
The sandboxing obfuscation was not a sure bet and the PoC worked only a portion of the time, researchers said.
“Attackers are looking to subvert the detections that victims have. While there is a chance that this kind of attack may be detected over time as threat intelligence is shared between various security experts and information sharing platforms, Mimecast strongly recommends all Microsoft Excel customers implement the workarounds suggested by Microsoft as the potential threat to these Microsoft users is real and the exploit could be damaging,” Shlomo wrote.
(On June 28 at 9:35 a.m. EDT the story was updated with a comment from Microsoft)