Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass

Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass

March 27, 2022
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

VBA macro is one of the most extensively abused features of Microsoft Excel, used by adversaries to gain an initial foothold in the target network. The sophistication of the technique leveraged to deploy the payload determines the detection of the macro code. However, the main reason for the risk is still the inherent nature of the Office applications to offer execution of macros. 

Recently Microsoft took a bold move and disabled the macros from running in documents downloaded from the internet. This blog covers a few techniques employed by adversaries to bypass such restrictions and execute malicious macros in documents downloaded from the internet.

What are Macros and how are they used maliciously?

Macros are special-use programmes that are used to automate operations within a larger application or piece of software. Macros consist of a set of instructions and operations expressed in a Macro Language (such as Visual Basic for Applications or VBA) or a conventional programming language. When a certain trigger is fired, the programme will automatically execute these commands. Threat actors write malicious code in the same Macro Language and hide it in documents and spreadsheets, distributed over the internet. Followed by which the code is activated as soon as the file is opened.

Zone Identifier and Security

How Does Windows Identify the Source of the Files?

In a phishing attack, data downloaded from the internet is handled by a browser application running on Windows. Browsers create an Alternate Data Stream named “Zone.Identifier, whenever such data is downloaded and a “ZoneId” is added to this stream, representing the zone from which the file originated. Zone IDs are listed in the table below. For more information on URL security zones refer to this article.

ZoneZoneId
Local machine0
Local intranet1
Trusted sites2
Internet3
Restricted sites4

We can use PowerShell to query the Zone.Identifier stream data to obtain the assigned ZoneId. As shown in the image below, a lot of information on the file is retrievable, especially its source information such as URL and host details. The file shown in the image has a ZoneId of 3. And with reference to the aforementioned table, ID 3 stands for ‘Internet’. This indicates that the malicious.doc is downloaded from  the internet.

This indicates that the malicious.doc is downloaded from the internet.
This indicates that the malicious.doc is downloaded from the internet.

Security implementations on Windows make use of the zone identifier data and utilize the “Mark of the Web” feature, to identify local files from downloaded ones. Here are a few mechanisms that leverage the “Mark of the Web” feature to take action:

  • Windows Smart Screen
  • Protected View in Office Suite
  • Application Guard 
  • Visual Studio untrusted data protection

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

Executing Internet Macros

When non-NTFS (New Technology File System) formats are used as containers to hold a malicious file, the browser will be incapable of creating ADS in files inside the container. In such cases, the browser fails to assign a ZoneId for the attacker files, enabling macro execution.

The “.iso” format is a popular container choice for malicious files. And such files extracted from ISO don’t have a Zone. Identifier stream, which causes Windows to treat it as a local file.

The image below shows that a downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3.

downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3
downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3

When files are extracted from ISO to the disk, they do not have any zone identification data as shown in the following image. Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found. Verifying that the malicious file is categorized as a local file by the system.

Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.
Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user. Thus no-sandbox protection will be offered by Protected View, allowing the malware to have an unrestricted execution on the system.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user
When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user

Conclusion

Adversaries exploit the features of VBA Macros to bypass Zone Identifier techniques employed by Office applications. They execute malicious macros in documents that the browser fails to identify as files from the internet, only to jump security measures and infect target networks. Observing the following mitigation measures could allow users to prevent such attacks:

  • A Defense in Depth approach should always be preferred instead of relying on a single defense.
  • It is ideal to enforce Microsoft’s Attack Surface Reduction rules (ASR rules) in an enterprise environment.
  • Do not execute files shipped in suspicious container formats.

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass

Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass

Authors
Co-Authors
No items found.

VBA macro is one of the most extensively abused features of Microsoft Excel, used by adversaries to gain an initial foothold in the target network. The sophistication of the technique leveraged to deploy the payload determines the detection of the macro code. However, the main reason for the risk is still the inherent nature of the Office applications to offer execution of macros. 

Recently Microsoft took a bold move and disabled the macros from running in documents downloaded from the internet. This blog covers a few techniques employed by adversaries to bypass such restrictions and execute malicious macros in documents downloaded from the internet.

What are Macros and how are they used maliciously?

Macros are special-use programmes that are used to automate operations within a larger application or piece of software. Macros consist of a set of instructions and operations expressed in a Macro Language (such as Visual Basic for Applications or VBA) or a conventional programming language. When a certain trigger is fired, the programme will automatically execute these commands. Threat actors write malicious code in the same Macro Language and hide it in documents and spreadsheets, distributed over the internet. Followed by which the code is activated as soon as the file is opened.

Zone Identifier and Security

How Does Windows Identify the Source of the Files?

In a phishing attack, data downloaded from the internet is handled by a browser application running on Windows. Browsers create an Alternate Data Stream named “Zone.Identifier, whenever such data is downloaded and a “ZoneId” is added to this stream, representing the zone from which the file originated. Zone IDs are listed in the table below. For more information on URL security zones refer to this article.

ZoneZoneId
Local machine0
Local intranet1
Trusted sites2
Internet3
Restricted sites4

We can use PowerShell to query the Zone.Identifier stream data to obtain the assigned ZoneId. As shown in the image below, a lot of information on the file is retrievable, especially its source information such as URL and host details. The file shown in the image has a ZoneId of 3. And with reference to the aforementioned table, ID 3 stands for ‘Internet’. This indicates that the malicious.doc is downloaded from  the internet.

This indicates that the malicious.doc is downloaded from the internet.
This indicates that the malicious.doc is downloaded from the internet.

Security implementations on Windows make use of the zone identifier data and utilize the “Mark of the Web” feature, to identify local files from downloaded ones. Here are a few mechanisms that leverage the “Mark of the Web” feature to take action:

  • Windows Smart Screen
  • Protected View in Office Suite
  • Application Guard 
  • Visual Studio untrusted data protection

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

Executing Internet Macros

When non-NTFS (New Technology File System) formats are used as containers to hold a malicious file, the browser will be incapable of creating ADS in files inside the container. In such cases, the browser fails to assign a ZoneId for the attacker files, enabling macro execution.

The “.iso” format is a popular container choice for malicious files. And such files extracted from ISO don’t have a Zone. Identifier stream, which causes Windows to treat it as a local file.

The image below shows that a downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3.

downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3
downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3

When files are extracted from ISO to the disk, they do not have any zone identification data as shown in the following image. Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found. Verifying that the malicious file is categorized as a local file by the system.

Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.
Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user. Thus no-sandbox protection will be offered by Protected View, allowing the malware to have an unrestricted execution on the system.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user
When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user

Conclusion

Adversaries exploit the features of VBA Macros to bypass Zone Identifier techniques employed by Office applications. They execute malicious macros in documents that the browser fails to identify as files from the internet, only to jump security measures and infect target networks. Observing the following mitigation measures could allow users to prevent such attacks:

  • A Defense in Depth approach should always be preferred instead of relying on a single defense.
  • It is ideal to enforce Microsoft’s Attack Surface Reduction rules (ASR rules) in an enterprise environment.
  • Do not execute files shipped in suspicious container formats.