LAMBDA Malware: The Hidden Threat In Excel Spreadsheets by Yonatan Baum and Daniel Wolfman

so this is Lambda malware the hidden threat in Excel spreadsheets um the talk is about research I conducted in which I managed to find a way a new technique for embedding malicious scripts in Excel documents um and let's begin with some of the formalities so my name is Jonathan Baum I work for mimecast as a security researcher for the research team mimecast is a cloud-based image security company we are protecting over 17 million end users worldwide and my team in particular is in charge of researching attack Trends and new types of threats when it comes to email what when it comes to ml one of the most common attack vectors for initial access is the phishing email one common one common approach would be to send an email prompting the user so clicking on an attachment that will then execute malicious code specifically VBA code VBA is a programming language by Microsoft allowing users to to code automations and scripts explain the capabilities of Microsoft Office Products it is simple in particular is set to execute once the document is opened it then spawns a partial process executing commands from a remote server now if you've been in for the previous uh previous talk you've heard that attachments are rarely used in real world attacks one reason would be file scanning here's a screenshot from Wireless is an anti-virus aggregator anyone can upload a file sample to it that will be checked against about 60 different antivirus engines and a minute later you will receive a report indicating how many and which engines Market as malicious so for above example we have 40 out of 6 60 engines have marked the macro as malicious so a malicious mecco in theory is enough for a script key to say to troll some of his friends but not sufficient to attack any serious organization through the research I managed to go from I managed to find a technique for embedding Malaysia scripts that goes from 40 detections to zero I want to say this again if your organization is using an anti-vous tool to scan incoming attachments it is incredibly likely that they could review this technique to attack you and you would have no way of knowing in the upcoming talk you're about to understand how we did it the research process and some of my final thoughts about mitigating these type of threats so let's find back to late 2022 when Microsoft announced this feature the Excel Lambda um now maybe you're not as much of an external as I am and you don't find new features for Excel are such an exciting thing however for a resourceful hackerel a new feature in software could mean the difference between successfully infiltrating an organization or not and lambdas are crucial to for our research so let's delve into it for a bit lambdas are essentially a way for the user to create custom functions expanding with the existing formula sets for excel so say you want to have a function that converts from finite to Celsius use the interface you give it a name you define the calculation you'd like to make and then from that point on anywhere in the document you can call the lamb you can call your Lambda just like like you would call any other formula functions like sum average Etc okay lenders are great because they can handle strings and they can calculate the price of a product after a discount essentially the way for you to tell or Excel to your specific needs so you also have a dld in Venture and you like to you have a way to calculate the exact damage uh along both shots inflict on on an enemy with lenders you can do that just like that if it's more about the specifics of lenders they are accessible to anyone regardless of coding knowledge unlike I previously mentioned VBA Macos the syntax is incredibly simple they use formulas it is based on formulas and you can call other lambdas defined in the document and it even supports occursion finally they come with plenty of helper functions if you're familiar with let's say python you may have heard of map reduce and filter all of those are built-in functions that enhance the usage of lambdas Excel provides all of those as well as functions like make a way which is used which is used to help users quickly and easily populate entire tables with lambdas now just to be clear the lambdas are first awesome and they don't only mean incremental value for a specific use case they can't do that if that's what you're into but I also mean we can now take Excel to a whole new level for example here's me creating the manual bot set using lambdas the middleboard set is a graph shaded by applying the same calculation over and over again recursively many many times over the grid creating this particular shape making its shape using using plain Excel was virtually impossible before lambdas after lambdas were introduced you can do it just like that so what does it all have to do with our research when we first learned about about lambda's adult team we figured it might be possible theoretically for a hackerel to somehow exploit this new feature and so we constructed a war game research in which I acted as the hackerel researching lambdas and finding ways I can incorporate them from a malicious purposes now whenever I'm conducting a research it is important for me to lay down my goals and my assumptions as for the goal I like to infect one of my teammates machine using lambdas and I'd also like to do it without being detected which is important because as we've seen before and as was mentioned earlier most organizations are scanning are scanning incoming attachments and if the fund usually as malicious you won't get full so it it won't be helpful at all as for the assumptions I assumed it first Macos are enabled this could be due to a configuration error under it was an organization part or maybe some sort of social engineering technique taking the user into enabling the Macos I assume that executing malicious Powershell is a valid proof of concept so that I don't have to compile an exact virus tailor-made for the specific model of my teammates machine just any Powershell comments if I can execute Powershell I can open a reverse shell and for a hackerel a reversal is more than enough for getting initial access to a network assume that vius total is a decent indication for stealth so this goes for the defensive parts when operating when operating our samples to varostal we receive them in numeric score for how many engines malicious having a numeric skull allowed us to having New Mexico allows to know how many of the most highly respected antivirus engines in the industry marked out samples as malicious and if you could it could go all the way down to zero it means we can put we can infiltrate and overcome any scanning tool out there almost finally I assume that no sandboxing is involved there are several reasons for why sandboxing is out of scope for this particular research mainly uh sandboxing and dynamic analysis are both uh highly resource intensive and expensive for the organization to to employ to deploy and so most organizations don't actually sandbox every incoming attachment now once I hit my goals and my assumptions let out in front of me I began my research attempting to find ways in which I can incope even incorporate lambdas in excel's code execution mechanism specifically literally mean the direction of excel 4.0 Macos these are an older implementation of the vbm of the concept of macros in Excel predating vbas and are implemented as a special unique type of spreadsheet in which each cell contains different instruction you don't have to understand the exact same syntax going on here just notice how it looks and act just like a spreadsheet now Excel 4.0 McCall just like VBA macros are very powerful they can hidden right fast to the file system and execute binaries making them much beloved by hackers and very well known to the security community meaning that alone they won't suffice for bypassing any anti-valus engine one nice thing to note about about Excel 4.0 makers is that while cells may contain instructions they may also contain values and formulas and I'm not thinking how about lambdas and Sarah constructed my first experiment I want a simple Excel 4.0 maker that has the exact same thing as a VBA mecho we've seen earlier it spawns a partial process and runs command from a remote server uploaded it to wireless tool resulting in 17 detections this would be our control group then I created a new Lambda there does absolutely nothing but Returns the exact same payload as before the Powershell slightly blah blah blah then I substituted the hard-coded payload in the my Excel 4.0 Mako and with my Lambda such as that once executed get payload would evaluate to the to the payload sync Powershell C blah blah which would then be executed by the exact instruction for the uh of the Excel 4.0 instruction and to make sure it works and upload it to Via store resulting in seven inductions meaning that already by simply substituting a hard-coded payload with Lambda I managed to fold 10 of the most highly expected anti-virus engines out there because they did not know how the how they can possibly handle lambdas a feature that was publicly available since late 2022 and announced and was in development years before that already great process great progress but I like to go down even further all the way down to zero and to do that I need to research the way anti-vous engine differentiate between malicious macros and non-malicious ones now every engine is quite different and one technique that I'll actually discuss today is called data flow analysis let's see it in action we'll examine this VBA code it defines a few variables and then executes a binary the binary could either be World which is not malicious by any means or Powershell which should be considered malicious now let's let's see the exact same macro from the perspective of an enterovirus engine other than looking at the code as a bunch of lines it converts it into a graph a control flow graph in which each each node contains a different instruction of the code once the code is converted into the graph the engine would examine it looking for any possibly suspicious functions in particular the shell function which can execute binaries then the engine evaluates the graph node by node paying special attention to changing changing variables in in values once the once the engine reaches shell it will examine the content of exec notice in its noticing its value is Powershell means that the macro is malicious in fact the absolutely most important thing to understand about data flow analysis is that the more complex a piece of code is the larger and more difficult to evaluate its corresponding graph becomes interesting technique called obfuscation something utilized by malware's for reals decades even essentially they are spaghettifying the code as much as possible to make it as difficult as possible for engines to evaluate and then detect sacrificing performance for stealth begin in arms race between minerals and uh and detection engines each one trying to one of the other in sophistication now as previously mentioned today more or less it can be said that the engines have the appearance they can detect just about any malicious mecco out there overcoming even the most complex obfuscations using a highly intelligent algorithms and plenty of resources and I theorized maybe I could use lambdas to tip the scale in my favor as the Hackle let's understand how I did it I wanted to exploit the fact that excel's Lambda evaluation engine is amazing it is highly optimized near instant you can even say it is excellent thank you no no it's fine it's fine uh it is so incredible in your instance I bet it could easily outperform even the most com even the most sophisticated of evaluation engines to make it work and to First figure out where in the document itself lenders are stored last time in in an even in an inner XML file called workbook XML and then our program that automatically created lambdas for me in the in the XML file getting hundreds and thousands of lambdas each calling the others in very deep recursion making this making decisions about the next step dynamically and in difficult to predict ways here's missed calling for the list of lambdas using the interface and well I don't have the exact corresponding graph to it uh here's a rough approximation for it now to make it all work I gave my lenders another purpose not only being as complex as possible also implementing a asymmetric cycle there's nothing fancy going on here just a simple Excel file meaning that I can give it in string input on one end this will become that would be encrypted on the other end and I could give it an encrypted input that will become decrypted once passing through the lambdas again we see in a second why that's important then I took the same Excel 4.0 macro from the control group I move the payload to a different cell referring using it by reference and I encrypted it using my lambdas and here's what I did that now whenever an engine would examine the Excel file the volt Powershell or any other possibly suspicious string is in order to be fine to be found there is no way for an engine to know that document has anything to do with Powershell without executing without evaluating and executing my generated lambdas for decrypting the payload then all it was left to do was add a call to start the first Lambda in my chain I previously generated such as the when evaluating stealth would evaluate to the decrypted payload which would then be executed I hit run to make sure it works and upload it to virus total resulting in two detections only we're so close but we are not quite there yet at this point I attempted thinking we did my technique a bit more making adjustments and seeing if I can load numbers and said it couldn't eventually I concluded that it seems like for some engines Excel 4.0 macros are always a cause of Suspicion and it makes sense if you think about it because I did mention that Excel 4.0 Macos are absolutely ancient released in 1995. it sends for an engine to go wait why is this Excel document using Excel 4.0 macros which are ancient and never used something must be going wrong I'm marking it as malicious for my intentions it's meant that I had that I had no choice but to find different approach for executing my code Lillian back in the direction of VBA now sometimes when you're researching you have to look for a needle in a haystack without even knowing whether or not the needle is actually dull and I had to go through many many many pages of documentation looking for any possible function or uh or property of VBA I can I can use for hiding my code and after taking a bit I came across this particularly interesting and uh convenient function called execute Excel form Echo sounds promising he does what it says he takes a string and it executes it just like it would execute a an instruction cell or an Excel format 4.0 mecho some adjustments to my to my lambdas I hit run and it worked and the result in zero detections finally success at that point I wrote an email to my to one of my teammates sending him the the final the final sample asking him to click on it and once he did all it was left for me to do was to open a port on my machine and wait for him to open resulting in a remote shell I can now uh execute binaries I can also for the purpose of a persistency Secrets if I wanted to okay now before we move on to the Q a we do have time for a q a right awesome uh I would like to leave you with some some of my final thoughts about uh the research and the type of threats first while lenders are amazing and the game changing feature for excel today's Innovation is tomorrow's vulnerability meaning that hackens can and will go through the exact same process as I just showed you attempting to find new ways to exploit to exploit new features uh in software software protecting now it is quite important to note that we checked and we didn't find any lambdas uh in any any mirrors or campaigns using lambdas in the wild um but hackers can the same principle supply for any new update to Software and so as for some of the my recommendations when it comes to mitigating the type of threats for the infosec Departments I would recommend uh incorporating best practices uh and limiting users as much as possible essentially if there's no need to use VBA VBA makers for a day-to-day walk why even give the user the option of turning them on but for any detection engine what I would recommend is figuring it out keeping updated with changes and updates to the softworks you are claiming to protect and find ways to detect malicious activities that are not only reliant on your current understanding of the program and and its code because things may change and hackers may find other ways to explore the program I truly believe there is our duty as a security Community to protect against all types of threats all the new so with that in mind uh now be a good time for questions would you get access to the slide would you I can send it to you later if you like okay yeah it's a good question uh no landlords are a standalone feature for Excel they don't require a lambdas to be turned on at all you can use lambdas without Macos so calling the VBA required requires enabling macros and the VBA is the one calling the lambdas foreign yeah any other questions yes oh my God it's a very interesting question um I don't think so uh I know that lambdas are essentially unique to the document itself so I don't think you can download them from a remote server I would like to see that happen um could be yeah yep um we just used virusal no particular reason s um honestly I have no good answer for that we just use value just made just what made sense at the time um like actually uploading the samples to the to the community we figured that also a good thing um so yeah uh do you have time for another question for applying the threats oh I think I think I understand your question you're asking how do I comment practically mitigating this particular effects um it's a good question one thing I recommend and is that you can have a have say yeah rules which you actually wrote down in in our team uh this allow this line documents that contain both um both lambdas and VB and VBA or Excel 4.0 maker code so as I mentioned they're all absolutely no documents out there we could we could find that utilize both lambdas and macro code VBA VBA or Excel 4.0 and so it would make sense so you won't have any virtually any false false positives uh when blocking all all documents that incorporate lambdas as well as VBA and Excel 4.0 Macos so that's uh tactically what I will recommend okay any other questions yes um going back so not at all we didn't do any Dynamic analysis uh it was just I'll scroll file research but also an interesting direction to go to I know it's harder to do but um I'm not sure I understand the question do you mean um what is stopping you from writing a super complex VBA code that also results in zero detections on virus dollar S I would absolutely recommend disabling Macos yes [Music] I don't personally think the reason we haven't seen it in the wild is that it's not feasible because it's quite is scarily feasible to make it work um like you'd be surprised also hope it would remain the case that it's nothing in the wild after this talk don't get any ideas uh as for the uh it's funny other defensive measures you can take as a blue team um I would say once again incorporating your best part it says disabling Macos entirely don't even have the option of telling them on um okay I think a lot of time okay for Daniel