Malware operators can hide the use of malicious macros to distribute malware by simply renaming the offending Office documents, Cisco researchers reveal.
Microsoft switched macros off by default in 2007, and also introduced new file formats that no longer supported macros, but cybercriminals have discovered ways of getting around that. Macro malware, a great concern a decade ago, returned strong last year, showing that cybercriminals can find ways to abuse old methods to distribute new threats can continue to make various improvements.
Macros are snippets of code that are automatically executed when a document is opened, as long as they are enabled, and malware creators have been long abusing the feature to distribute their programs. In 2007, Microsoft switched to a default Word document format that no longer supported macros: DOCX.
To ensure that files are safe for opening, Microsoft also introduced OfficeOpen XML (OOXML) standard in Office 2007, where the [Content_Types].xml component of the document (which is, in fact, an archive), provides the MIME type information for the other components. Thus, if it asserts the MIME type for DOCX, Office will not save or run macro code for the file. The same applies to the DOTX file format, but not to DOCM and DOTM, which support macros.
This also means that, because of the MIME type agreement, Office will open a file according to the file data, not to the filename extension. Basically, if Word can identify the data structure, it can open an OOXML file with macros (DOCM or DOTM) even if it has a different filename extension. “This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format,” Cisco researchers reveal.
This means that cybercriminals can disguise DOCM files containing embedded macros as other file formats by simply changing the extension.
“For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code,” Cisco researchers say, adding that this tactic is already being abused in the wild.
Cisco’s Talos team has been tracking this type of activity and says that there has been a rapid increase in the deployment rate over the past months. After analyzing the macro payload in thousands of DOTM files discovered between March 18 and July 13, researchers discovered the reuse of a pattern of machine obfuscated macros.
“Once the collision was discovered, the macro collisions occurring in at least four distinct DOTM files were pulled out for further inspection. This accounted for a whopping 64% of all DOTMs discovered over a four month period,” researchers say.
What’s more, Cisco explains that, although their analysis has focused on Word documents with malicious macros, the attack can be carried out using similar OOXML formats for Excel and PowerPoint. PPTM files that feature malicious macros can be disguised as PPT presentations, and XLSM files can be masqueraded as text-only CSV spreadsheet files.
The culprit, the team explains, is a MS Office component called WWLIB.DLL, which validates OOXML file types by confirming the MIME type of the file. The validation will always pass if the MIME type is OOXML, even if the file extension does not hint at an OOXML file type. To block the attack, the researcher say, WWLIB validation needs to be patched “to verify that the file extension is as expected when a DOCM or DOTM MIME type is encountered.”