Pierluigi Paganini
January 31, 2019
A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution. In this specific case the downloaded Malware happens to be a variant of NanoCore RAT, but this is not my point for today. If you are interested in the Malware analysis of now.exeplease read here.
At that time the attacker forced the Dynamic Data Exchange (DDE) protocol for interprocess communication supported by Microsoft Excel, LibreOffice and Apache OpenOffice. For example the following formula on OpenOffice will run calc.exe (CVE-2014-3524).
=DDE("cmd";"/C calc";"__DdeLink_60_870516294")On Microsoft Excel the same result can be reached by introducing the following formula:
=cmd|' /C calc'!A0While OpenOffice and LibreOffice patched this vulnerability in the following versions: OpenOffice-4.1.1 (ref here) and LibreOffice-4.3.1 (ref here), Microsoft decided to allow this behaviour by introducing two user “warnings”.
These warnings recommend that the user shouldn’t click if he does not trust the source of the file…. here we go! What about if you received this file from google spreadsheet? Ok, maybe, none in the cybersecurity community will definitely trust a spreadsheet coming from a random GoogleSheet user, but maybe many people out there would trust GoogleSheet without wondering who really sits behind of the shared document.
In 2019 the most interesting thing about this technique is the ability to bypass Google filters. By implementing .csv dropper technique an attacker could easily use Google Sheets as a Malware vector. Although Google implements sophisticated GMail and gDrive anti Malware techniques in order to avoid Malware spreading over its amazing technologies, for example: before uploading or downloading a file from gDrive google scans them (ref: here) or avoiding specific file type (.exe, .dll, .zip, etc etc) over GMail (read more here), this time seems to be not as much as “sensible” to such an issue. Google has been alerted about this issue but it confirmed that it’s actually an “Intended Behaviour”.
Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box.
I really hope that Google would -at least try- to avoid to be used as an attack vector as it does with many other technologies, but in the meantime please be aware of this issue and if you receive a link to a not working Google Sheets, please do not download it locally.
Further information, including IoCs,
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″] [adrotate banner=”13″]
