14 DAY TRIAL // Some of Gmail's security features that are responsible for detecting malicious macros can be bypassed just by splitting "trigger words" in half or across rows, security researchers from SecureState have discovered.
Macros are script snippets attached to Office documents that, if the user allows it, can execute and automate a series of tasks.
Created to simplify various tasks at work, macros have been abused since their early beginning by malware authors to carry out malicious operations that resulted in the installation of malware on targeted systems.
Microsoft blocked the automatic execution of these scripts, and email providers have started scanning file attachments for documents that contained macro scripts.
SecureState says that Gmail immediately detects an Office document as malicious if the script uses some sensitive words.
Excel files more attacker-friendly than others
In their tests, Gmail identified an Excel file as malicious when the exploit code contained the word "powershell," a very powerful Microsoft scripting utility, which macros might call to interact with the underlying Windows OS.
To their surprise, separating the word, either by placing it on two lines or by splitting it into two strings, bypasses Gmail's security filter.
An attacker with knowledge of this trick needs only to adapt their exploit by separating any calls to the Powershell utility on two different lines as seen below.
Str = Str + "ll.exe -NoP -sta -NonI -W Hidden -Enc JAB3"
The researcher says he was able to bypass this security feature as well, just by moving the exploit code under a button.
The malicious code would not execute as soon as the user enabled macros/editing inside a tainted Excel document, but only after they pushed another button.
Since Excel files can be quite complex, it is not too hard to imagine a user clicking a button to summarize some complex table as a chart, so the social engineering in Excel files is not that hard to carry out.
