CYBERSECURITY PADAWAN

In an attempt to curb the ever-increasing macro malware incidence rate, Microsoft has announced that all macros bearing the Mark of the Web (MOTW) attribute will be disabled by default. Effective immediately, all version 2203 Microsoft Office products (e.g., Excel, Visio, Access, PowerPoint, and Word) will benefit from this change, which will become a permanent part of the security baseline for all Microsoft 365 enterprise apps. For now, the policy change is limited to version 2203 Office products, but Microsoft plans on rolling it out for other Office versions such as Office 2021, Office 2016, Office 2013, and Office 2019.

Essentially, all code-packed autorun macros downloaded from the Internet or other sources will be blocked by default if the Office cannot verify source, certificate, or validate against a group policy. This article will document the changes to MS’ security policy on autorun macros, gauge the impact on users and applications, and point out what the future holds for macro malware developers and distributors.

Autorun Macros Disabled – Yesterday’s News or Something Else?

By now, you’re probably wondering why Microsoft puts so much emphasis on something that’s been around since 2016. If you recall, 2016 is the year when Bill Gates’ brainchild first acknowledged the severity of macro malware and decided that the best course of action would be to disable (by default) the autorun macro feature in Office’s Trust Center.

So, what does this mean from the user’s perspective? Each time the user would download and open a macro-injected document, a prompt would appear in the upper part of the screen informing the user about the script and that it was blocked by default.

A timid first towards the right direction, but with one caveat – MS’s Trust Center would allow the user to manually bypass the feature and run the script despite the warning. If the script didn’t originate from a trusted source, pressing that button would be like playing a game of digital Russian roulette.

Fast-forwarding to 2022, Microsoft announces that all the autorun macro function has been disabled for the reason stated in the intro. What’s the difference? According to the feature’s official documentation, this feature prevents the user from running the macro manually. Moreover, this security countermeasure encompasses all attachments retrieved from the Internet or, in some cases, from Restricted Zones.

How Does the New Security Feature Work?

Microsoft has summarized the functions (and functionality) of the new feature in a seven-step flowchart. The graphic explains how Office behaves when the user downloads and attempts to open a document that contains a (runnable) macro.

The mechanism performs various security checks – location (is the location trusted), digital signature (does the document possess a digital signature? Is the Trusted Publisher’s certificate available on the machine?), policies (are there any cloud, ADMX, or group policies that prevent the user from running macros?), recurrence (has this document been marked as trusted in the past?), and default ruling (does Office block macros by default regardless of location, policies, digital signature, and recurrence?).

What this tells us is that any macro downloaded from the Internet or Restricted zone can only be executed on the machine if enabled from group, cloud, or ADMX policies comes from a trusted source, bears a digital certificate, or is not subject to Office’s default ruling. Very straightforward, but easily circumvented under certain conditions.

MOTW’s Impact on Downloaded Files

For that, let’s go back a little to how Office recognizes Internet-downloaded macros. Now, every time you download something from the Internet or another source, regardless if it’s a picture, song, font, .msi executable, or, like in our case, a macro, Windows will append a special attribute to that file called Mark of the Web (MOTW). Two more things you should be aware of:

  1. MOTW is exclusively applied to files originating from untrusted locations.
  2. MOTW attributes are exclusively applied to files saved on NTFS-formatted local storage (doesn’t agree with storage formatted in FAT32).

Commit the last point to mind because it will become essential in the upcoming section where we’ll going to talk about the various implications of Microsoft’s latest security feature. Why is the Mark of Web so important and what does it have to do with macro malware? If you recall the key difference between Microsoft’s macro security addition from 2016 and the one from 2022, you’ll know that running a macro despite warnings is off the table. Not quite – the user can still manually bypass the feature by altering the macro’s security properties.

All you need to do is right-click on the file, select Properties, tick the box next to Unblock under Security, and apply these changes. If your machine runs after a group policy that has yet to define a rule about committing changes to a file’s properties, the aforementioned file will get rubberstamped, which means that it will retain all its functionality, including macros.

This proverbial chink in the armor can render Microsoft’s security efforts useless, since it has, to some degree, fail to eliminate the human factor. So, can a threat actor leverage this limitation to launch even more macro malware?

Malware Distribution, Obfuscation, and Threat Scenarios

Now for the question on everyone’s lips – will the new autorun macro security feature make macro malware come to a grinding stop or not? Perhaps there are those who argue that this ‘wing-clipping’ may dilute macro malware, however, from where I stand, this is the perfect opportunity for threat actors to earn points in creativity. Fat32, for instance; sure, it may be as old as time, but what if it can be used to the threat actor’s advantage?

Many modern systems use NTFS as the default file allocation format, but, as chance would have it, they still support older formats such as exFAT and, yes, even FAT32. With a simple network enumeration, the hacker can sniff out what local storage format you’re using and if it’s okay to hit you with macro malware.

Since the new security feature doesn’t work on FAT32-formatted storage, it’s back to square and some good, old social engineering. Furthermore, as I pointed out in the previous section, poorly governed machines (i.e., devices that either belong to a rule-based group or belong to one with no rules regarding MOTW security) are still prone to this type of attack.

What about digital certificates and Office’s Trust Center? Although (almost) impossible from a cryptographic standpoint (i.e., the attacker would need to gain access to the private key used to digitally sign a document), where there’s a motivated hacker, there is way – three of them actually. According to DarkReading’s article on digital signature forgery, a group of German researchers identified three ways of forging the digital signature of a PDF document.

Albeit not related to our topic, the paper’s findings suggest that the idea of digital signature forging is not only possible but very doable. The researchers managed to alter the PDF’s signature using three types of attacks: USF (Universal Signature Forgery), ISA (Incremental Saving Attack), and SWA (Signature Wrapping). In short, USF is a way to hijack the signature verification mechanism by displaying fake signature validation messages/prompts; ISA means loading a pre-signed document’s incremental update system with garbage, while SWA means gift-wrapping the legit validation around the garbage incremental update resulting in a digitally signed incremental update.

So, if one is able to alter the digital signature of a document, why not do the same with macro-bearing documents? Granted, this is not your run-of-the-mill cryptanalytical attack, but with the right tools and the right amount of social engineering, this endeavor can be orchestrated to perfection. Once the doc’s been digitally signed, all that remains is to nicely ask Office’s Trust Center to make a new entry and that’s it.

Concerning recurrence; according to Microsoft’s documentation, Office will auto-allow macros to run if the document was downloaded from a trusted source at least a couple of times.

Can we say for certain that the source we’ve downloaded a doc two times is the exact same source on our third download? With website spoofing being more common than the cold, we can tell for certain if that’s the same source we’ve used to download other documents. And just like that, your machine can become infected with a macro virus.

Summing up: Office’s latest security feature provides an extra inch of security, but it’s hardly a game-changer. Of course, threat actors will have to ad-lib a lot, which will probably lead to new obfuscation mechanisms.

Cybersecurity Tips and Parting Thoughts

With macro malware here to stay indefinitely, I’ve rounded up my usual list of cybersecurity advice that will help you protect your machines against this type of threat.

  • Keep your AV up to date. Don’t forget that your antivirus is your first and last line of defense against macro viruses and akin.
  • Access governance. ‘Harsher’ group and ADMX policies must be enforced to prevent the user from manually circumventing the MOTW security setting. Heimdal™ Privileged Access Management is the easiest way to expand on your Windows GP, granting you access to more granular control over your rules, policies, and procedures.
  • Cryptographic protection. Ransomware encryption protection software can detect any and all changes made to a file’s digital signature and prevents the machine from running that file or, in our case, that document.
  • Verify the page’s SSL certificate. For extra protection against website spoofing, be sure to verify the website’s SSL certificate each time you access it. Look for the padlock icon next to the URL.

Come spring (April) Microsoft will be rolling out the new security feature for the aforementioned products. For the time being, only version 2203 apps will benefit from those changes, with plans to ramp up to other Office versions. Unfortunately, the new feature will not be available for non-Windows machines (e.g., Mac Office, Office for Android or iOS, and Web Office). This concludes my article on macro malware and MOTW security. If you’ve enjoyed it, don’t forge to subscribe and comment.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Heimdal CyberSecurity & Threat Intelligence Report 2021

Excel 4.0 Macros Will Be Disabled in Order to Protect Users

Experts Warn of a New Technique that Disables Macro Security Warnings in Malicious Office Files

Heimdal™ Security’s Lost & Found Bin – The Macro Virus

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP