A serious security flaw affecting all versions of Microsoft Office has been discovered by security researcher Lino Antonio Buono. The flaw is within the legitimate feature of Microsoft Office allowing malicious actors to create and spreads macro-based self-replicating malware. The flaw takes advantage of fact that a registry key value dictates whether external (or untrusted) macros can be trusted or not. And by changing the value of such a registry key all macros can be put into trusted zone.
This flaw allows macros to write more macros. Although this Macro-based self-replicating technique is not new and Microsoft has already introduced a security mechanism in MS Office that by default limits this functionality. The researcher has discovered a simple technique that could allow anyone to bypass the security control put in place by Microsoft and create, spread self-replicating malware while hiding behind unsuspecting MS Word documents.
How Attack Works:
By default, Microsoft has disabled external (or untrusted) macros. To restrict default programmatic access to Office VBA project, object model users can manually enable “Trust access to the VBA project object model,” whenever required. When this setting is enabled, MS Office will trust all macros and run any code without showing security warning or requiring user’s permission.
Buono found that these settings can be enabled or disabled by editing a windows registry as given shown in the below image.
An attacker can create a malicious MS Doc file, which enables Trust access to the VBA project object model by updating “AccessVBom” registry value.
Buono has created a PoC video, which demonstrates, how an MS Word document embedding malicious VBA code could be used to deliver a self-replicating multi-stage malware. i.e It first enables macros by updating windows registry entries and then injects malicious macro payload (VBA code) into every doc file that the victim interacts with.
A new macro-based self-replicating ransomware using the above described attack technique has been recently reported by Trend Micro, which has been called as “qkG“. This ransomware employs Auto Close VBA macro, which is a technique that allows executing malicious macro when victim closes the document. According to researchers, this ransomware is more of an experimental project or a proof of concept (PoC) rather than a malware being actively used. qkG is the first ransomware that scrambles one file type or file and also one of the few file-encrypting malware that has been written in Visual Basic for Applications macros. Also, it is unique because unlike regular ransomware that use macros only to download ransomware, it employs malicious macro codes, which is a technique used by .lukitus, a variant of Locky ransomware.
Though this method hasn’t been used by attackers as yet, if they do it will become very difficult to deal with the situation as attack method exploits a legitimate MS Office feature and a majority of antivirus software doesn’t issue a warning or block VBA code based MS documents.
According to a researcher, Microsoft doesn’t regard it as a security issue. And instead, Microsoft claims that the feature is designed to function like this. All external and untrusted macros will be disabled by default as per the latest change in the settings of macros. This limits the macros default access to Office VBA project model. Users need to manually enable external macros by clicking on “Trust access to the VBA project object model“. This setting allows MS Office to automatically trust all macros and run the code without displaying security warning or asking for user’s permission for running it.
Buono suggests “In order to (partially) mitigate the vulnerability it is possible to move the “AccessVBOM” registry key from the HKCU hive to the HKLM, making it editable only by the system administrator.”
This technique of bypassing default Microsoft Office settings can be used to trust external or untrusted macros and automatically run any code without showing security warning or requiring user’s permission. Also, any victim which mistakenly allows the malicious doc file to run macros once, his/her system would remain open to macro-based attacks. The victim will be unknowingly spreading the same malicious code to other users by sharing any infected office files from his/her system to others.
Currently, there is no solution to address this particular attack. Need to wait and see how Microsoft addresses this attack, do they consider Buono’s suggestion to move particular registry key under HKLM or they address in a different way.
The best way to be protected from such malware attack is always to be suspicious of any uninvited documents sent via an email and never click on links inside those documents unless adequately verifying the source.