Uncommon office malware stagers

Published in

CSG @ GovTech

8 min readApr 4, 2022

In my previous article on adversary simulation, I discussed the TTPs (Tactics, Techniques and Procedures) used to deliver a simulated malware attack. This article serves as a continuation and will introduce different techniques used to deliver a simulated malware attack. There are three parts to this article: 1) I will first discuss recent techniques used by malware campaigns; 2) I will next explore the different approaches to creating office malware without the usage of macros; 3) I will finally share innovative approaches to deliver malware with the use of uncommon Microsoft Office file formats, and how we could mitigate such attacks.

Current trends in Microsoft Office malware

Macros are commonly used in malware and embedded in Microsoft Office file formats such as doc, docm, xls and xlsm. Although macros may be effective in delivering malware, these file formats are heavily inspected by security products for malicious behaviour.

To reduce chances of being recognised as a malware, adversaries may choose uncommon Microsoft Office file formats to embed their malware. In recent months, malware campaigns (Agent Tesla and Dridex malware) have been using Excel add-ins (.xll) to deliver their malware. Other malware campaigns have also been abusing PowerPoint add-ins (.ppam) to deliver their malware.

The next section will explore how proof-of-concept (POC) malware files can be created in .xll and .ppam file format.

Creating Excel Add-ins(.xll)

Excel add-ins extend Excel functionality and allow users to add custom Excel functions running on C# code. When the Excel add-in is clicked, a warning prompt pops up to ask if the user wants to enable the add-in for the current session. A user who enables the add-in will load the custom Excel functions and will be at risk of running malicious code.

To create Microsoft Office add-ins, you will need to first install the Office/Sharepoint development pack in Visual Studio.

Next, create a class library in .NET Framework, install the Excel-DNA package in package manager, and include the following sample code from excel-dna.net.

Creating a Class Library project in Visual Studio

In this POC example, I added extra C# code in the SayHello Excel Function to download a PowerShell script from a remote website. I then stored it in the start-up folder. Dropping files into the start-up folder is a common technique used by adversaries to establish persistence and execution of the malware on a victim’s machine. The “malicious” PowerShell script would then be executed every time the user logs in.

When the Excel custom function was executed, the .ps1 file from the remote site was not downloaded. This could be due to a protection mechanism by Microsoft Office to prevent malicious files from being downloaded.

I was able to bypass the protection mechanism by changing the file format of the downloaded file format from .ps1 to .txt.

Alternatively, an adversary may choose to hardcode the malicious payload in the C# project and write to a file in the start-up folder, as shown below.

Writing PowerShell code into .ps1 in Startup folder

Creating PowerPoint Add-ins(.ppam)

Next, I created a Powerpoint add-in by referencing the guide from bettersolutions. The .ppam is a PowerPoint add-in which is capable of running custom PowerPoint functionality through macros.

Similarly, I added extra VBA code to drop a PowerShell script into the start-up folder.

Sample VBA code to write malicious content to start up folder

When the user loads and executes the custom PowerPoint add-in, the macro would drop a malicious PowerShell script into the user’s start-up folder.

Other uncommon Microsoft Office file formats

Now that I managed to recreate the two file formats used in malware campaigns, I wanted to explore if other Microsoft Office file formats could be used to deliver malware without utilising macros.

Looking through the list of Microsoft Office templates in Visual Studio, I found that add-ins were not limited to .xll and .ppam and could be created in different file formats. In the next section, I will explore the creation of malware stagers in .vsto and .xlt file formats.

Creating PowerPoint VSTO Add-ins(.vsto)

Creating a VSTO add-in allows developers to customise events in the Microsoft Office application and calls on any of the existing classes in the .NET Framework. During the delivery of the VSTO add-in, it also needs to be accompanied by its application manifest and .dll file.

When the user installs the PowerPoint VSTO add-in, it will be added as a COM add-in into Microsoft PowerPoint. The COM add-in will then be loaded upon subsequent usage of Microsoft PowerPoint. This is different from the previous two examples where the add-in lasts only for the session. This could be a useful “feature” for adversaries to gain persistent execution in the victim’s machine since the malicious code would be executed every time the user interacts with Microsoft PowerPoint.

In this PowerPoint add-in POC, I customised the new presentation slide event handler. When the user creates a new presentation slide, a text message will be inserted into the new slide. The code then downloads a malicious payload and saves it in the user start-up folder.

Creating Excel VSTO Template(.xlt)

Although VSTO files are useful in ensuring persistency in the victim’s machine, the icons and file formats are not well known to end-users. This might make it challenging to trick users into installing the VSTO add-in. This is why we explored the creation of Excel VSTO template, which could be presented to users as a “normal” Excel document.

In the image below, I added C# code to drop a PowerShell file into the start-up folder whenever the Excel Template was opened.

Similar to Excel add-in (.xll) file format, the Excel VSTO template only worked when the user ran the malicious template. However, the user will only be warned the first time they install the add-in.

PowerPoint parasite for stealth persistence

While reading up on COM add-in related research, I came across a blog post by Vincent Van Mieghem. He shared his idea of silently installing the COM add-in without requiring user interaction. This, however, required the execution of a script to set the registry keys and values modified by the VSTO add-in. In the image below, I modified his script to work on a Microsoft PowerPoint add-in.

PowerShell script to set the registry key and values

To ensure that the malicious code gets executed during the launch of Microsoft PowerPoint, I moved the code from the new slide event to the add in the start-up event. This event will be triggered whenever Microsoft PowerPoint is being loaded. This was because COM add-ins were automatically loaded whenever the application is launched.

Malicious code moved to addin_startup handler

The malicious code will now be launched whenever the user launches Microsoft PowerPoint. This technique still required the user to launch Microsoft PowerPoint manually. So, instead of waiting for the user to run PowerPoint, we could automate the launch of PowerPoint by dropping a PowerShell script in the start-up folder. This script will stealthily load PowerPoint as a COM object in the background and execute the malicious code in the COM add-in.

PowerShell script to launch PowerPoint COM object silently

The demo simulates the execution of the PowerShell script when the user logins. It is worth noting that the user would not have a visual indication of Microsoft PowerPoint launching.

Conclusion

1. In this article, I have demonstrated different Microsoft Office file formats which may be useful in adversary simulation. As these file formats are not your usual suspects for malicious behaviour, they may face less scrutiny from security products.

2. Although only four file formats were shared in this article, other Microsoft Office add-ins can be used to interact with Microsoft Office Suite (e.g. Outlook VSTO add-in, Sharepoint VSTO add-in). This may be an avenue worth exploring.

3. System administrators should consider blocking or restricting Microsoft Office add-ins and digitally signed macros to trusted publishers.

4. Users should not download and open files from unknown sources.