Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass

Malicious Macros and Zone Identifier Alternate Data Stream Information Bypass
Published on
March 27, 2022
Blog Image

VBA macro is one of the most extensively abused features of Microsoft Excel, used by adversaries to gain an initial foothold in the target network. The sophistication of the technique leveraged to deploy the payload determines the detection of the macro code. However, the main reason for the risk is still the inherent nature of the Office applications to offer execution of macros. 

Recently Microsoft took a bold move and disabled the macros from running in documents downloaded from the internet. This blog covers a few techniques employed by adversaries to bypass such restrictions and execute malicious macros in documents downloaded from the internet.

What are Macros and how are they used maliciously?

Macros are special-use programmes that are used to automate operations within a larger application or piece of software. Macros consist of a set of instructions and operations expressed in a Macro Language (such as Visual Basic for Applications or VBA) or a conventional programming language. When a certain trigger is fired, the programme will automatically execute these commands. Threat actors write malicious code in the same Macro Language and hide it in documents and spreadsheets, distributed over the internet. Followed by which the code is activated as soon as the file is opened.

Zone Identifier and Security

How Does Windows Identify the Source of the Files?

In a phishing attack, data downloaded from the internet is handled by a browser application running on Windows. Browsers create an Alternate Data Stream named “Zone.Identifier, whenever such data is downloaded and a “ZoneId” is added to this stream, representing the zone from which the file originated. Zone IDs are listed in the table below. For more information on URL security zones refer to this article.

ZoneZoneId
Local machine0
Local intranet1
Trusted sites2
Internet3
Restricted sites4

We can use PowerShell to query the Zone.Identifier stream data to obtain the assigned ZoneId. As shown in the image below, a lot of information on the file is retrievable, especially its source information such as URL and host details. The file shown in the image has a ZoneId of 3. And with reference to the aforementioned table, ID 3 stands for ‘Internet’. This indicates that the malicious.doc is downloaded from  the internet.

This indicates that the malicious.doc is downloaded from the internet.
This indicates that the malicious.doc is downloaded from the internet.

Security implementations on Windows make use of the zone identifier data and utilize the “Mark of the Web” feature, to identify local files from downloaded ones. Here are a few mechanisms that leverage the “Mark of the Web” feature to take action:

  • Windows Smart Screen
  • Protected View in Office Suite
  • Application Guard 
  • Visual Studio untrusted data protection

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

In the above instance, when malicious.doc with ZoneId 3 is opened on Word, it opens in Protected View as shown below:

Executing Internet Macros

When non-NTFS (New Technology File System) formats are used as containers to hold a malicious file, the browser will be incapable of creating ADS in files inside the container. In such cases, the browser fails to assign a ZoneId for the attacker files, enabling macro execution.

The “.iso” format is a popular container choice for malicious files. And such files extracted from ISO don’t have a Zone. Identifier stream, which causes Windows to treat it as a local file.

The image below shows that a downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3.

downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3
downloaded ISO file uses the Mark of the Web and is assigned ZoneId 3

When files are extracted from ISO to the disk, they do not have any zone identification data as shown in the following image. Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found. Verifying that the malicious file is categorized as a local file by the system.

Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.
Hence when stream data is queried, PowerShell throws an error stating that the stream object cannot be found.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user. Thus no-sandbox protection will be offered by Protected View, allowing the malware to have an unrestricted execution on the system.

When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user
When a malicious document extracted from an ISO is opened in Word, the ProtectedView feature doesn’t alert the user

Conclusion

Adversaries exploit the features of VBA Macros to bypass Zone Identifier techniques employed by Office applications. They execute malicious macros in documents that the browser fails to identify as files from the internet, only to jump security measures and infect target networks. Observing the following mitigation measures could allow users to prevent such attacks:

  • A Defense in Depth approach should always be preferred instead of relying on a single defense.
  • It is ideal to enforce Microsoft’s Attack Surface Reduction rules (ASR rules) in an enterprise environment.
  • Do not execute files shipped in suspicious container formats.
Article by
Contributors to this Article
Author Image
Related Posts
Blog Image
December 7, 2023

Exploring the Dark Web: Understanding Cybersecurity Threats and Safeguarding Strategies

Discover how to navigate and protect against Dark Web threats. Learn about cyber risks, real-time monitoring, and securing your digital presence.

Blog Image
November 4, 2023

Underground Marketplace Unveils New Ransomware Offering QBit with Advanced Encryption & Customization

On 23 October 2023, CloudSEK’s Threat Intelligence Team detected a Ransomware-as-a-Service (RaaS) group, named QBit introducing a newly developed ransomware written in Go, boasting advanced features to optimize its malicious operations.

Blog Image
September 8, 2023

Understanding Knight Ransomware: Advisory, Analysis

Cyclops, now renamed as Knight also known as Cyclops 2.0, debuted in May 2023. The Cyclops group has successfully developed ransomware that can infect all three major platforms: Windows, Linux, macOS, ESXi and Android.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.