14 DAY TRIAL // The notorious Clippy is back eviler than ever, as security researchers developed a tool that helps red teamers and security testers as they work on creating malicious Microsoft Office documents.
Outflank experts showcased the tool at BlackHat Asia, and in a technical analysis they explain that the so-called Evil Clippy can bypass antivirus apps using a complex approach that involves VBA stomping.
The researchers explain that this method comes down to abusing a feature that is not officially documented, namely the “undocumented PerformanceCache part of each module stream contains compiled pseudo-code (p-code) for the VBA engine.”
Evil Clippy, which can run on Windows, Linux, and macOS, can hide VBA macros from the GUI editor, fool analysis tools, serve VBA stomped templates via HTTP, and set and remove VBA project locked/unviewable protection in Office documents.
“Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files, and hereto abuses MS-OVBA specifications and features. It reuses code from Kavod.VBA.Compression to implement the compression algorithm that is used in dir and module streams (see MS-OVBA for relevant specifications),” the security researchers explain.
An in-depth look at Evil Clippy can be found on the page linked above.
What Microsoft needs to do
While Evil Clippy could raise particular concerns for Microsoft Office users, the team of security experts note that the purpose of the tool is to call for the Redmond-based software giant to further enhance protection against malicious macros in its productivity suite.
“Evil Clippy only scratches the surface of issues resulting from the gap between official Microsoft specifications on VBA macros (MS-OVBA) and its actual implementation in MS Office. Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial,” they explain.
The source code of Evil Clippy is already available on GitHub here.