MS Office’ Default Function Can Be Used to Create Self-Replicating Malware

Italian security researcher Lino Antonio Buono discovered a security flaw that affects almost all versions of Microsoft office. As per the findings of Buono, this vulnerability can let hackers create and distribute macro-based, self-replicating malware and hide it behind unsuspecting MS Word documents.

Buono, who works at InTheCyber, explained that a self-replicating malware could allow the macro to keep writing more macros. Although this isn’t a new type of threat and Microsoft has already developed and introduced security mechanism that can limit the malware’s functionality, but the flaw shared by Buono can allow an attacker to evade the security controls of Microsoft easily.

However, Microsoft doesn’t regard it as a security issue when Buono tried to inform the company about the threat on October 17th. Microsoft claims that the feature is designed to function like this, but this is the same excuse that Microsoft gave for the DDE feature, which is the eye-candy of malicious threat actors nowadays.

Furthermore, the tech giant pointed out that all external and untrusted macros will be disabled by default as per the latest change in the settings of macros. This limits the macros’ default access to Office VBA project model. Users need to manually enable external macros by clicking on “Trust access to the VBA project object model.” This setting allows MS Office to automatically trust all macros and run the code without displaying security warning or asking for user’s permission for running it.

But, Buono identified that this particular feature could be enabled or disabled simply by editing the registry in Windows. This leads to enabling all the macros to write more macros without asking or notifying the user. Eventually, the victims get exposed to all macros-based attacks and unintentionally spread the malware by sharing infected documents with other users.

Trend Micro also published a report on November 22nd to inform about the discovery of a new macro-based self-replicating malware, which has been dubbed as “qkG.” Surprisingly this malware also exploits the same feature of MS Office that the malware discovered by Buono does.

When Trend Micro researchers assessed qkG malware samples uploaded by somebody from Vietnam on VirusTotal, they realized that the malware looked more like an “experimental project or a proof of concept” instead of an actively used malware. It was also revealed in the report that qkG ransomware uses a technique that allows execution of malicious macros once the MS Word document is closed. This technique is known as Auto Close VBA macro.

qkG is the first ransomware that scrambles one file type or file and one of the few file-encrypting malware that has been written in Visual Basic for Applications macros. Also, it is unique because unlike regular ransomware that use macros only to download ransomware, it employs malicious macro codes, which is a technique used by .lukitus, a variant of Locky ransomware. Both ransomware executes malicious macro when the document is closed, but .lukitus’ macro codes not only retrieve but also execute the ransomware to encrypt targeted files saved on the targeted device.

The newest sample of qkG ransomware shows that it includes a Bitcoin address bearing a brief ransom note with the asked amount of $300 in BTC written on it. Further probe revealed that no payments had been made at this Bitcoin address yet, which highlights that the ransomware hasn’t targeted anyone as yet while the ransomware still uses the default hardcoded password: “I’m QkG@PTM17! by TNA@MHT-TT2.”

Buono shared a video to demonstrate the way his identified flaw works. In this video, it can be seen how an MS Word document containing malicious VBA code is used to distribute the multi-stage, self-replicating malware.

Though this method hasn’t been used by hackers as yet if they do, it will become very difficult to deal with the situation given that it exploits a legitimate MS Office feature and a majority of antivirus software doesn’t issue a warning or block VBA code based MS documents. Microsoft also has no plans of releasing a patch to reduce the impact of a threat as it doesn’t even consider it a threat.

Therefore, Buono has provided some helpful solutions to mitigate the threat. He urges that users move the AccessVBOM registry key from the HKCU hive to HKLM so that only the system admin can edit it. Lastly, users must never click on links embedded in uninvited documents received through emails without properly verifying the sender.

Waqas

Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.