đ CloudSEK has raised $19M Series B1 Round â Powering the Future of Predictive Cybersecurity
Read More
Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!
Schedule a DemoVBA macro is one of the most extensively abused features of Microsoft Excel, used by adversaries to gain an initial foothold in the target network. The sophistication of the technique leveraged to deploy the payload determines the detection of the macro code. However, the main reason for the risk is still the inherent nature of the Office applications to offer execution of macros.
Recently Microsoft took a bold move and disabled the macros from running in documents downloaded from the internet. This blog covers a few techniques employed by adversaries to bypass such restrictions and execute malicious macros in documents downloaded from the internet.
Macros are special-use programmes that are used to automate operations within a larger application or piece of software. Macros consist of a set of instructions and operations expressed in a Macro Language (such as Visual Basic for Applications or VBA) or a conventional programming language. When a certain trigger is fired, the programme will automatically execute these commands. Threat actors write malicious code in the same Macro Language and hide it in documents and spreadsheets, distributed over the internet. Followed by which the code is activated as soon as the file is opened.
In a phishing attack, data downloaded from the internet is handled by a browser application running on Windows. Browsers create an Alternate Data Stream named âZone.Identifier,â
whenever such data is downloaded and a âZoneIdâ is added to this stream, representing the zone from which the file originated. Zone IDs are listed in the table below. For more information on URL security zones refer to this article.
Zone | ZoneId |
Local machine | 0 |
Local intranet | 1 |
Trusted sites | 2 |
Internet | 3 |
Restricted sites | 4 |
We can use PowerShell to query the Zone.Identifier stream data to obtain the assigned ZoneId. As shown in the image below, a lot of information on the file is retrievable, especially its source information such as URL and host details. The file shown in the image has a ZoneId of 3. And with reference to the aforementioned table, ID 3 stands for âInternetâ. This indicates that the malicious.doc is downloaded from the internet.
Security implementations on Windows make use of the zone identifier data and utilize the âMark of the Webâ feature, to identify local files from downloaded ones. Here are a few mechanisms that leverage the âMark of the Webâ feature to take action:
In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:
When non-NTFS (New Technology File System) formats are used as containers to hold a malicious file, the browser will be incapable of creating ADS in files inside the container. In such cases, the browser fails to assign a ZoneId for the attacker files, enabling macro execution.
The â.isoâ format is a popular container choice for malicious files. And such files extracted from ISO donât have a Zone. Identifier stream, which causes Windows to treat it as a local file.
The image below shows that a downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3.
When files are extracted from ISO to the disk, they do not have any zone identification data as shown in the following image. Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found. Verifying that the malicious file is categorized as a local file by the system.
When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesnât alert the user. Thus no-sandbox protection will be offered by Protected View, allowing the malware to have an unrestricted execution on the system.
Adversaries exploit the features of VBA Macros to bypass Zone Identifier techniques employed by Office applications. They execute malicious macros in documents that the browser fails to identify as files from the internet, only to jump security measures and infect target networks. Observing the following mitigation measures could allow users to prevent such attacks:
Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.
Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.
A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.
Take action now
CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.
Digital Risk Protection platform which gives Initial Attack Vector Protection for employees and customers.
Software and Supply chain Monitoring providing Initial Attack Vector Protection for Software Supply Chain risks.
Creates a blueprint of an organization's external attack surface including the core infrastructure and the software components.
Instant Security Score for any Android Mobile App on your phone. Search for any app to get an instant risk score.
min read
Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass
VBA macro is one of the most extensively abused features of Microsoft Excel, used by adversaries to gain an initial foothold in the target network. The sophistication of the technique leveraged to deploy the payload determines the detection of the macro code. However, the main reason for the risk is still the inherent nature of the Office applications to offer execution of macros.
Recently Microsoft took a bold move and disabled the macros from running in documents downloaded from the internet. This blog covers a few techniques employed by adversaries to bypass such restrictions and execute malicious macros in documents downloaded from the internet.
Macros are special-use programmes that are used to automate operations within a larger application or piece of software. Macros consist of a set of instructions and operations expressed in a Macro Language (such as Visual Basic for Applications or VBA) or a conventional programming language. When a certain trigger is fired, the programme will automatically execute these commands. Threat actors write malicious code in the same Macro Language and hide it in documents and spreadsheets, distributed over the internet. Followed by which the code is activated as soon as the file is opened.
In a phishing attack, data downloaded from the internet is handled by a browser application running on Windows. Browsers create an Alternate Data Stream named âZone.Identifier,â
whenever such data is downloaded and a âZoneIdâ is added to this stream, representing the zone from which the file originated. Zone IDs are listed in the table below. For more information on URL security zones refer to this article.
Zone | ZoneId |
Local machine | 0 |
Local intranet | 1 |
Trusted sites | 2 |
Internet | 3 |
Restricted sites | 4 |
We can use PowerShell to query the Zone.Identifier stream data to obtain the assigned ZoneId. As shown in the image below, a lot of information on the file is retrievable, especially its source information such as URL and host details. The file shown in the image has a ZoneId of 3. And with reference to the aforementioned table, ID 3 stands for âInternetâ. This indicates that the malicious.doc is downloaded from the internet.
Security implementations on Windows make use of the zone identifier data and utilize the âMark of the Webâ feature, to identify local files from downloaded ones. Here are a few mechanisms that leverage the âMark of the Webâ feature to take action:
In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:
When non-NTFS (New Technology File System) formats are used as containers to hold a malicious file, the browser will be incapable of creating ADS in files inside the container. In such cases, the browser fails to assign a ZoneId for the attacker files, enabling macro execution.
The â.isoâ format is a popular container choice for malicious files. And such files extracted from ISO donât have a Zone. Identifier stream, which causes Windows to treat it as a local file.
The image below shows that a downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3.
When files are extracted from ISO to the disk, they do not have any zone identification data as shown in the following image. Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found. Verifying that the malicious file is categorized as a local file by the system.
When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesnât alert the user. Thus no-sandbox protection will be offered by Protected View, allowing the malware to have an unrestricted execution on the system.
Adversaries exploit the features of VBA Macros to bypass Zone Identifier techniques employed by Office applications. They execute malicious macros in documents that the browser fails to identify as files from the internet, only to jump security measures and infect target networks. Observing the following mitigation measures could allow users to prevent such attacks: