Mark-Of-The-Web Bypass with 7-zip
In 2022, Microsoft restricted the usage macros in office documents downloaded from the internet, a major leap forward to reduce the popular maldoc attack surface. However, attackers could still overcome this Mark-Of-The-Web restriction by packing the malicious document in a container, such as zip or ISO files. Upon extraction, the macro-enabled document would not appear to be downloaded from the internet and the evil macros can be executed. Tools like PackMyPayload demonstrate this concept.
The popular 7-zip software is one of the possibilities to bypass Mark-Of-The-Web. An attacker can simply 7-zip the malicious Word document and provide the victim with instructions to extract it via 7-zip, which would result in a macro-enabled document.
Unzipping the document with 7-zip
For example, the attacker could reply to a job posting and send his resume in an attached 7-zip file, with specific instructions on how to extract the document via 7-zip.
Example phishing mail
Pepper, the hiring manager who has 7-zip installed, can simply double-click the file and press "Open".
Prompt to open 7-zip attachment
This would automatically open the archive with 7-zip.
7-zip archive containing resume
From here, a simple drag-and-drop to desktop is enough to avoid Mark-Of-The-Web.
Resume dragged-and-dropped to desktop
After opening the document, the victim is presented with a classic encouragement to Enable Content. Additionally, the CV appears to be encrypted for GDPR reasons. One can never have enough protection layers for his personal data!
Instructions after opening the document
When the victim follows the instructions, a legitimate-looking resume appears.
Resulting resume
However, in the backend the malicious macro replaced a DLL on disk in a Microsoft Teams directory. This causes Teams to load the attacker's malware the next time the program starts.
DLL Proxying was used to preserve the functionality original DLL and the malicious DLL loaded encrypted Command and Control shellcode, embedded in a remote png on a webserver via steganography.
Visualization of the Microsoft Teams DLL hijack
In this case, a Brute Ratel C2 session was started in Microsoft Teams.
Brute Ratel C2 session on Pepper's computer
In this article, we demonstrated that office macros can still be used to establish an initial foothold on a victim's machine through the use of containers to deliver the payload. However, it has become harder and takes more effort to convince the victim, which is definitely a step in the right direction!