# Mark-Of-The-Web Bypass with 7-zip

## Introduction

In 2022, [Microsoft restricted the usage macros in office documents downloaded from the internet](https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805), a major leap forward to reduce the popular maldoc attack surface. However, attackers could still overcome this Mark-Of-The-Web restriction by packing the malicious document in a container, such as zip or ISO files. Upon extraction, the macro-enabled document would not appear to be downloaded from the internet and the evil macros can be executed. Tools like [PackMyPayload](https://github.com/mgeeky/PackMyPayload) demonstrate this concept.

## 7-Zip

The popular[ 7-zip](https://www.7-zip.org) software is one of the possibilities to bypass Mark-Of-The-Web. An attacker can simply 7-zip the malicious Word document and provide the victim with instructions to extract it via 7-zip, which would result in a macro-enabled document.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FBxj30eQ79r2PsiUqiH8C%2Fimage.png?alt=media&#x26;token=2cf6b379-20c7-47f0-875d-f928e320b8a2" alt=""><figcaption><p>Unzipping the document with 7-zip</p></figcaption></figure>

## Pretext

For example, the attacker could reply to a job posting and send his resume in an attached 7-zip file, with specific instructions on how to extract the document via 7-zip.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FhK33FPsKawpjSrsZw57Q%2FScreenshot%202023-01-12%20at%2016.18.26.png?alt=media&#x26;token=1787c230-4a9a-47c2-8c20-0c5dd5f3b31e" alt=""><figcaption><p>Example phishing mail</p></figcaption></figure>

## Extraction

Pepper, the hiring manager who has 7-zip installed, can simply double-click the file and press "Open".

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FGhQ8XEx0jES7aojfLPkg%2FScreenshot%202023-01-12%20at%2016.23.09.png?alt=media&#x26;token=9f2b6f56-d014-4b4f-8d4f-922a845c659b" alt=""><figcaption><p>Prompt to open 7-zip attachment</p></figcaption></figure>

This would automatically open the archive with 7-zip.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FEvyNrMrDHeuhSkGnlYdi%2Fimage.png?alt=media&#x26;token=95091acd-9253-4517-ba86-5f77ab1bfe42" alt=""><figcaption><p>7-zip archive containing resume</p></figcaption></figure>

From here, a simple drag-and-drop to desktop is enough to avoid Mark-Of-The-Web.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FSMSrvBWI99zBcKKiSXpu%2Fimage.png?alt=media&#x26;token=53029e98-db21-4087-a51d-5c4c8958065f" alt=""><figcaption><p>Resume dragged-and-dropped to desktop</p></figcaption></figure>

## Execution

After opening the document, the victim is presented with a classic encouragement to Enable Content. Additionally, the CV appears to be encrypted for GDPR reasons. One can never have enough protection layers for his personal data!

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FplI5JMddQg0saoCjgDzu%2Fimage.png?alt=media&#x26;token=16d81b49-43c5-4868-b2c7-65ed195184d5" alt=""><figcaption><p>Instructions after opening the document</p></figcaption></figure>

When the victim follows the instructions, a legitimate-looking resume appears.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FcqdapJIhByuRfvLfJAax%2Fimage.png?alt=media&#x26;token=447e82fc-1658-4938-b87a-9f4cf1bc97bd" alt=""><figcaption><p>Resulting resume</p></figcaption></figure>

## Backend

However, in the backend the malicious macro replaced a DLL on disk in a Microsoft Teams directory. This causes Teams to load the attacker's malware the next time the program starts.

DLL Proxying was used to preserve the functionality original DLL and the malicious DLL loaded encrypted Command and Control shellcode, embedded in a remote png on a webserver via steganography.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2Fc4yBjCaOySWV9byXQv52%2FScreenshot%202023-01-12%20at%2016.33.55.png?alt=media&#x26;token=7b4e7bda-4225-4e6f-86fc-d05d0c537fa6" alt=""><figcaption><p>Visualization of the Microsoft Teams DLL hijack</p></figcaption></figure>

In this case, a Brute Ratel C2 session was started in Microsoft Teams.

<figure><img src="https://2625624550-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FhRzjBF3u8KpBWHCTCRNz%2Fuploads%2FeNBDerwtRhT0xSKKqS6F%2FScreenshot%202023-01-12%20at%2016.40.49.png?alt=media&#x26;token=b1838ac1-e677-4fa1-9a3d-0a2f7ddac60c" alt=""><figcaption><p>Brute Ratel C2 session on Pepper's computer</p></figcaption></figure>

## Conclusion

In this article, we demonstrated that office macros can still be used to establish an initial foothold on a victim's machine through the use of containers to deliver the payload. However, it has become harder and takes more effort to convince the victim, which is definitely a step in the right direction!