With Microsoft’s latest announcement concerning the blocking of macros in paperwork originating from the web (electronic mail AND internet obtain), attackers have started aggressively exploring different choices to attain consumer pushed entry (UDA). There are a number of concerns to be weighed and balanced when in search of a viable phishing for entry technique:
- Complexity – The extra steps which are required on the consumer’s half, the much less seemingly we’re to achieve success.
- Specificity – Are most sufferer machines inclined to your assault? Is your assault structure particular? Does sure software program should be put in?
- Supply – Are there community/coverage mitigations in place on the goal community that restrict how you could possibly ship your maldoc?
- Defenses – Is software whitelisting enforced?
- Detection – What sort of AV/EDR is the shopper working?
These are the key questions, nonetheless there are definitely extra. Issues get extra advanced as you understand that these components compound one another; for instance, if a shopper has an online proxy that prohibits the obtain of executables or DLL’s, chances are you’ll want to stay your payload inside a container (ZIP, ISO, and so on). Doing so can current additional points down the highway in terms of detection. Extra strong defenses require extra advanced combos of strategies to defeat.
This text might be written with a fictional goal group in thoughts; this group has employed a number of defensive measures together with electronic mail filtering guidelines, blacklisting sure file varieties from being downloaded, software whitelisting on endpoints, and Microsoft Defender for Endpoint as an EDR answer.
Actual organizations could make use of none of those, some, or much more defenses which may simplify or complicate the strategies outlined on this analysis. As at all times, know your goal.
What are XLL’s?
XLL’s are DLL’s, particularly crafted for Microsoft Excel. To the untrained eye they appear lots like regular excel paperwork.
XLL’s present a really enticing choice for UDA on condition that they’re executed by Microsoft Excel, a really generally encountered software program in shopper networks; as a further bonus, as a result of they’re executed by Excel, our payload will virtually assuredly bypass Software Whitelisting guidelines as a result of a trusted software (Excel) is executing it. XLL’s may be written in C, C++, or C# which supplies a terrific deal extra flexibility and energy (and sanity) than VBA macros which additional makes them a fascinating alternative.
The draw back after all is that there are only a few respectable makes use of for XLL’s, so it SHOULD be a very simple field to examine for organizations to dam the obtain of that file extension via each electronic mail and internet obtain. Sadly many organizations are years behind the curve and as such XLL’s stand to be a viable technique of phishing for a while.
There are a collection of various occasions that can be utilized to execute code inside an XLL, probably the most notable of which is xlAutoOpen. The total record could also be seen right here:
Upon double clicking an XLL, the consumer is greeted by this display:
This single dialog field is all that stands between the consumer and code execution; with pretty skinny social engineering, code execution is all however assured.
One thing that should be saved in thoughts is that XLL’s, being executables, are structure particular. Which means that you should know your goal; the model of Microsoft Workplace/Excel that the goal group makes use of will (often) dictate what structure you want to construct your payload for.
There’s a fairly clear break in Workplace variations that can be utilized as a rule of thumb:
Workplace 2016 or earlier: x86
Workplace 2019 or later: x64
It needs to be famous that it’s doable to put in the opposite structure for every product, nonetheless these are the default architectures put in and most often this needs to be a dependable technique to decide about which structure to roll your XLL for. In fact relying on the supply technique and pretexting used as a part of the phishing marketing campaign, it’s doable to offer each variations and depend on the sufferer to pick out the suitable model for his or her system.
Sources
The XLL payload that was constructed throughout this analysis was based mostly on this venture by edparcell. His repository has good directions on getting began with XLL’s in Visible Studio, and I used his code as a place to begin to develop a malicious XLL file.
A notable deviation from his repository is that ought to you want to create your individual XLL venture, you have to to obtain the newest Excel SDK after which comply with the directions on the beforehand linked repo utilizing this model versus the 2010 model of the SDK talked about within the README.
Supply
Supply of the payload is a critical consideration in context of UDA. There are two major strategies we’ll give attention to:
- Electronic mail Attachment
- Net Supply
Electronic mail Attachment
Both through attaching a file or together with a hyperlink to a web site the place a file could also be downloaded, electronic mail is a important a part of the UDA course of. Over time many organizations (and electronic mail suppliers) have matured and enforced guidelines to guard customers and organizations from malicious attachments. Mileage will range, however organizations now have the aptitude to:
- Block executable attachments (EXE, DLL, XLL, MZ headers total)
- Block containers like ISO/IMG that are mountable and should include executable content material
- Study zip information and block these containing executable content material
- Block zip information which are password protected
- Extra
Fuzzing a corporation’s electronic mail guidelines may be an vital a part of an engagement, nonetheless care should at all times be taken in order to not tip one’s hand {that a} Purple Workforce operation is ongoing and that data is actively being gathered.
For the needs of this text, it will likely be assumed that the goal group has strong electronic mail attachment guidelines that forestall the supply of an XLL payload. We’ll pivot and take a look at internet supply.
Net Supply
Electronic mail will nonetheless be used on this assault vector, nonetheless fairly than sending an attachment it will likely be used to ship a hyperlink to a web site. Net proxy guidelines and community mitigations controlling allowed file obtain varieties can differ from these enforced with reference to electronic mail attachments. For the needs of this text, it’s assumed that the group prevents the obtain of executable information (MZ headers) from the net. This being the case, it’s price exploring packers/containers.
The premise is that we’d be capable to stick our executable inside one other file sort and smuggle it previous the group’s insurance policies. A significant consideration right here is native help for the file sort; 7Z information for instance can’t be opened by Home windows with out putting in third social gathering software program, so they aren’t a terrific alternative. Codecs like ZIP, ISO, and IMG are enticing decisions as a result of they’re supported natively by Home windows, and as an added bonus they add only a few further steps for the sufferer.
The group sadly blocks ISO’s and IMG’s from being downloaded from the net; moreover, as a result of they make use of Knowledge Loss Prevention (DLP) customers are unable to mount exterior storage units, which ISO’s and IMG’s are thought-about.
Fortunately for us, despite the fact that the group prevents the obtain of MZ-headered information, it does permit the obtain of zip information containing executables. These zip information are actively scanned for malware, to incorporate prompting the consumer for the password for password-protected zip information; nonetheless as a result of the executable is zipped it isn’t blocked by the in any other case blanket deny for MZ information.
Zip information and execution
Zip information had been chosen as a container for our XLL payload as a result of:
- They’re natively suitable with Home windows
- They’re allowed to be downloaded from the web by the group
- They add little or no further complexity to the assault
Conveniently, double clicking a ZIP file on Home windows will open that zip file in File Explorer:
Â
Much less conveniently, double clicking the XLL file from the zipped location triggers Home windows Defender; even utilizing the inventory venture from edparcell that does not include any type of malicious code.
Â
Trying on the Home windows Defender alert we see it’s only a generic “Wacatac” alert:
Nevertheless there’s something odd; the file it recognized as malicious was in c:usersuserAppdataLocalTempTemp1_ZippedXLL.zip, not C:usersuserDownloadsZippedXLL the place we double clicked it. Trying on the Excel occasion in ProcessExplorer exhibits that Excel is definitely working the XLL from appdatalocaltemp, not from the ZIP file that it got here in:
Â
This seems to be a wrinkle related to ZIP information, not XLL’s. Opening a TXT file from inside a zipper utilizing notepad additionally leads to the TXT file being copied to appdatalocaltemp and opened from there. Whereas opening a textual content file from this location is okay, Defender appears to determine any form of precise code execution on this location as malicious.
If a consumer had been to extract the XLL from the ZIP file after which run it, it would execute with none concern; nonetheless there isn’t a technique to assure {that a} consumer does this, and we actually cannot roll the cube on popping AV/EDR ought to they not extract it. In addition to, double clicking the ZIP after which double clicking the XLL is way easier and a sufferer is way extra susceptible to finish these easy actions than go to the difficulty of extracting the ZIP.
This drawback brought on me to start contemplating a distinct payload sort than XLL; I started exploring VSTO’s, that are Visible Studio Templates for Workplace. I extremely encourage you to take a look at that article.
VSTO’s finally name a DLL which may both be positioned regionally with the .XLSX that initiates all the things, or hosted remotely and downloaded by the .XLSX through http/https. The native choice supplies no actual benefits (and actually a number of disadvantages in that there are a number of extra information related to a VSTO assault), and the distant choice sadly requires a code signing certificates or for the distant location to be a trusted community. Not having a legitimate code signing cert, VSTO’s
don’t mitigate any of the problems on this state of affairs that our XLL payload is working into.
We actually appear to be backed right into a nook right here. Working the XLL itself is okay, nonetheless the XLL can’t be delivered by itself to the sufferer both through electronic mail attachment or internet obtain attributable to group coverage. The XLL must be packaged inside a container, nonetheless attributable to DLP codecs like ISO, IMG, and VHD usually are not viable. The sufferer wants to have the ability to open the container natively with none third social gathering software program, which actually leaves ZIP as the choice; nonetheless as mentioned, working the XLL from a zipped folder leads to it being copied and ran from appdatalocaltemp which flags AV.
I spent many hours mind storming and testing issues, happening the VSTO rabbit gap, exploring all conceivable choices till I lastly determined to strive one thing so dumb it simply may work.
This time I created a folder, positioned the XLL inside it, after which zipped the folder:
Â
Clicking into the folder reveals the XLL file:
Double clicking the XLL exhibits the Add-In immediate from Excel. Be aware that the XLL remains to be copied to appdatalocaltemp, nonetheless there’s a further layer because of the further folder that we created:
Â
Clicking allow executes our code with out flagging Defender:
Good! Code execution. Now what?
Tradecraft
The pretexting concerned in getting a sufferer to obtain and execute the XLL will range wildly based mostly on the group and supply technique; themes may embrace worker wage knowledge, calculators for compensation based mostly on skillset, data on a venture, an attendee roster for an occasion, and so on. Regardless of the lure, our assault might be much more efficient if we really present the sufferer with what they’ve been promised. With out comply with via, victims could change into suspicious and report the doc to their safety groups which may rapidly give the attacker away and curtail entry to the goal system.
The XLL by itself will simply depart a clean Excel window after our code is finished executing; it could be significantly better for us to offer the Excel Spreadsheet that the sufferer is in search of.
We will embed our XLSX as a byte array contained in the XLL; when the XLL executes, it would drop the XLSX to disk beside the XLL after which it will likely be opened. We’ll identify the XLSX the identical because the XLL, the one distinction being the extension.
On condition that our XLL is written in C, we will herald a few of the capabilities from a earlier writeup I did on Payload Capabilities in C, specifically Self-Deletion. Combining these two strategies leads to the XLL being deleted from disk, and the XLSX of the identical identify being dropped in it is place. To the undiscerning eye, it would seem that the XLSX was there the whole time.
Sadly the situation the place the XLL is deleted and the XLSX dropped is the appdatatemplocal folder, not the unique ZIP; to handle this we will create a second ZIP containing the XLSX alone and likewise learn it right into a byte array throughout the XLL. On execution along with the aforementioned actions, the XLL may attempt to find the unique ZIP file in c:usersvictimDownloads and delete it earlier than dropping the second ZIP containing simply the XLSX in it is place. This might after all fail if the consumer saved the unique ZIP in a distinct location or beneath a distinct identify, nonetheless in lots of/most instances it ought to drop within the consumer’s downloads folder mechanically.
This screenshot exhibits within the decrease pane the temp folder created in appdatalocaltemp containing the XLL and the dropped XLSX, whereas the highest pane exhibits the unique File Explorer window from which the XLL was opened. Discover within the decrease pane that the XLL has measurement 0. It is because it deleted itself throughout execution, nonetheless till the highest pane is closed the XLL file is not going to utterly disappear from the appdatalocaltemp location. Even when the sufferer had been to click on the XLL once more, it’s now inert and does not likely exist.
Equally, as quickly because the sufferer backs out of the opened ZIP in File Explorer (both by closing it or navigating to a distinct folder), ought to they click on spreadsheet.zip once more they are going to now discover that the check folder comprises importantdoc.xlsx; so the XLL has been eliminated and changed by the innocent XLSX in each places that it existed on disk.
This GIF demonstrates the obtain and execution of the XLL on an MDE trial VM. Be aware that for some purpose Excel opens two situations right here; on my house laptop it solely opened one, so not fairly certain why that differs.
Detection
As at all times, we’ll ask “What does MDE see?”
A fast screenshot dump to show that I did execute this on the right track and catch a beacon again on TestMachine11:
Â
First off, zero alerts:
What does the timeline/occasion log seize?
Yikes. Fact be instructed I don’t know the place the keylogging, encrypting, and decrypting credentials alerts are coming from as my code does not do any of that. Our actions certain look suspicious when laid out like this, however I’ll once more touch upon simply how a lot knowledge is collected by MDE on a single endpoint, not to mention tons of, 1000’s, or tons of of 1000’s that a corporation could have hooked into the EDR. As long as we aren’t throwing any precise alerts, we’re in all probability okay.
Code Pattern
The second most have in all probability been ready for, I’m offering a code pattern of my developed XLL runner, restricted to simply these components mentioned right here within the Tradecraft part. Will probably be on the reader to truly get the code into an XLL and implement it at the side of the remainder of their runner. As at all times, do no hurt, have permission to phish a corporation, and so on.
Compiling and setup
I’ve included the supply code for a program that may ingest a file and produce hex which may be copied into the byte arrays outlined within the snippet. Use this on the the XLSX you want to current to the consumer, in addition to the ZIP file containing the folder which comprises that very same XLSX and retailer them of their respective byte arrays. Compile this code utilizing:
gcc -o ingestfile ingestfile.c
I had some points getting my XLL’s to compile utilizing MingW on a kali machine so thought I’d put up the instructions right here:
x64
x86_64-w64-mingw32-gcc snippet.c 2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/x64/XLCALL32.LIB -o importantdoc.xll -s -Os -DUNICODE -shared -I 2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/
x86
i686-w64-mingw32-gcc snippet.c 2013_Office_System_Developer_Resources/Excel2013XLLSDK/LIB/XLCALL32.LIB -o HelloWorldXll.xll -s -DUNICODE -Os -shared -I 2013_Office_System_Developer_Resources/Excel2013XLLSDK/INCLUDE/
After you compile it would be best to make a brand new folder and duplicate the XLL into that folder. Then zip it utilizing:
zip -r <myzipname>.zip <foldername>/
Be aware that to ensure that the tradecraft outlined on this put up to work, you’re going to have to match some variables within the code snippet to what you identify the XLL and the zip file.
Conclusion
With the dominance of Workplace Macro’s coming to an in depth, XLL’s current a gorgeous choice for phishing campaigns. With some creativity they can be utilized at the side of different strategies to bypass many layers of defenses applied by organizations and safety groups. Thanks for studying and I hope you realized one thing helpful!
