Introduction

In 2022, Microsoft restricted the usage macros in office documents downloaded from the internet, a major leap forward to reduce the popular maldoc attack surface. However, attackers could still overcome this Mark-Of-The-Web restriction by packing the malicious document in a container, such as zip or ISO files. Upon extraction, the macro-enabled document would not appear to be downloaded from the internet and the evil macros can be executed. Tools like PackMyPayload demonstrate this concept.

7-Zip

The popular 7-zip software is one of the possibilities to bypass Mark-Of-The-Web. An attacker can simply 7-zip the malicious Word document and provide the victim with instructions to extract it via 7-zip, which would result in a macro-enabled document.

Pretext

For example, the attacker could reply to a job posting and send his resume in an attached 7-zip file, with specific instructions on how to extract the document via 7-zip.

Extraction

Pepper, the hiring manager who has 7-zip installed, can simply double-click the file and press "Open".

This would automatically open the archive with 7-zip.

From here, a simple drag-and-drop to desktop is enough to avoid Mark-Of-The-Web.

Execution

After opening the document, the victim is presented with a classic encouragement to Enable Content. Additionally, the CV appears to be encrypted for GDPR reasons. One can never have enough protection layers for his personal data!

When the victim follows the instructions, a legitimate-looking resume appears.

Backend

However, in the backend the malicious macro replaced a DLL on disk in a Microsoft Teams directory. This causes Teams to load the attacker's malware the next time the program starts.

DLL Proxying was used to preserve the functionality original DLL and the malicious DLL loaded encrypted Command and Control shellcode, embedded in a remote png on a webserver via steganography.

In this case, a Brute Ratel C2 session was started in Microsoft Teams.

Conclusion

In this article, we demonstrated that office macros can still be used to establish an initial foothold on a victim's machine through the use of containers to deliver the payload. However, it has become harder and takes more effort to convince the victim, which is definitely a step in the right direction!