EvilClippy and the rise of Office based malware.

EvilClippy

Last month a cross-platform assistant for creating malicious MS Office documents, named EvilClippy was released.

It allows an attacker to hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools.

Attackers can now hide malicious code from anti-virus and macro analysis tools by leveraging undocumented features in the way macros are stored within an office file.

Macros are stored in Compound File Binary Format (CFBF) and EvilClippy uses a technique known as VBA Stomping to replace the compiled version of the macros with something malicious.

According to the creators of the tool it allows attackers to bypass all anti-virus solutions, however it’s worth noting that Deep Instinct’s VBA and Office deep learning models available since November last year prevent all threats produced using EvilClippy without requiring an update or cloud lookup. Anti-virus vendors cannot detect threats created with this tool statically and must update detection hash by hash (reactively) as samples are submitted by customers.

Certainly the name of the tool is a tongue in cheek play on the name of the old office97 assistant, Clippy, that proved universally unpopular with most users.

A full write up and download of the tool itself can be found on Outflank and GitHub.

Recent In the Wild Office/macros threats

Published below a list of hashes we have prevented at customer sites related to malicious office documents.

These include threats created using EvilClippy and word and excel droppers used in a number of campaigns, including, Emotet, Fareit, Lazarus, Lockergoga and Alcaul.

Again prevented statically with Deep Instinct’s November 2018 model.

Shift from Web based vulnerabilities to Office vulnerabilities

This data published by researchers from Kaspersky illustrates the pivot from browser based attacks to office doc attacks, which is an interesting trend.

officedoc trends.jpg

FlawedAmmy Remote Access Trojan being dropped by Excel macros – Microsoft Security advise ‘DisableMacros’

This last week we are seeing another successful campaign that uses excel macros and digitally signed files to deliver a remote access trojan. Microsoft’s security team’s only advice remains to ‘disable macros’

Cythera’s managed Protection Bundles are designed from the ground up to help your business meet emerging threats such as these, and provide you with ongoing outcome based security.


doc
00ad2bfa421242f600edc04ff9ac01bd08850e35397f055bd88e252cecb5f6dd
0e0bc96e1e419eeb6a9f54578b3e0c4f27a75646c37f4e5e05bf7d1ff3211c34
1085636bb02300e9275a9a48befc7ab6b4e7b8df6354430058e87bd9198b53ea
10ccf633e11c7ac3627042c91b06c99f7d4011b97f8928c77cc18283ba8ebbac
11cabfcef490a268346b05713d8257abe6223987ff057351d7c9d2f54d8e7126
14a8b1823d188751fb9e437808b8ecad7c29bdb3c7dd6a0949e5c2851948626d
1747cc231ecf0f5f70838e319412e74ce548958dc8db5e626544b3babb56bd57
4236042697f72d0a788466203d7734fdb493cddb8c6de52f04fd25d917f1e5c8
4ff75466b5cfae00724f67f42c8bbbe1b06edcdfbdc175d60afbe8da9dca0a5e
7e37acc9eb2f54a57af4eb5f9287b220e172bfece705d250b5844363c14e8085
830483d5c82a7f8df6135e3e3db9a2d0242981da7928e04be4450f52ab24563c
8966f0144f3d85390bfd42d7183e0362a27d0a624f3b9975782ab2844ffbbfe4
913a4217ce0e5236ccf2d911977b5a7cc565d323085271ceb5492f4306bf6306
91977393c39a5e13ba5e5f4aa0b16342d4f9bb57b84b9e03ecbb1f79a3b479c3
9a051c20ad94254fd39327a39d7abfaf5fa6d8e29b2b876e4114645aa2afbe8e
a23dcebc35580e8d1cf3e5404ee62ff7fc1ec9d1d83c9ff469e60a100912b684
a2cb13a6e2fb1f290d52f4e0dbb57286832cfce1f8f7d77225d1d23c9b1b45fb
aec5a1d4b49711fec45139e54c9f7ff313e9488dc5d71a4127a61c8cd256ba2b
b57d08d70da6bc7c94af6e7abfbc2267b726b7166215187cd6249437b6583668
bdce87e14fac462355647a5edffc6cdb9518b395c30b3e4229345320f37033ad
c53fca82bf215c1f0f994d1d6c523ca47b57e204e7bf690688ab6944676752a3
c7062cafca86f5e66928ec7081c98962ba41f0b1b73eecddb278929eedd29ff5
cfcf648d9f4f6c888b5fbb5bcd9f0a0f4adfabc80412f1a134d1c5211515ba04
d21318282e6c8d888b686fb61d87891fff4df575a8a84ea1d2784c0445409cdc
dfcabffce9c3fb42e58aff39f38f325332f5219aa501799ea04735d2ecfd2d68
e17689eeda9d50c9e4549300cf91f10655ebe9d1c681f337ea175a78b55f6a0e
ed1f3491ef952692e422914b44fe532392569e82b2f60bc09e829ca40479695c
f0ca2bcc1a7e87af25e3608652e3fd60b7917dda6ec2d3959b1c900e02338866
f28f62f33ff6ea0d8d9708e54142e83603afe0bcdcf1206bca2f2dfa00e05b0c
fb0a2cba32b1774e4356ebc797ff78c5d148b3fd475f86b2f27f3b9ed9c17ff2
fcb9a3f1e47657b24395ed82d241768c2ce1db82e48a3f2eeaa15f890e00d5b5

xls
17c484ec8a7b39f13d6d06341f26942b80cce72c68d8b8781bc92b626d259549
1c0bb461a1e6ef4828099cbf9b4bc4295ccaf0658d2942162718808609d9023f
3e114876a826bcc3d316fde247e0318ca407a3d112be71e72419c662a341e4d0
73e34961788d6ec841db517b89181a01fd2f8b943921ee7e0dba0709dbdcdda3
761dd88f174641870d799241b95dbf6c8b410d0bc895f30e508a94a716e68427
7c80a0c687c12363ce9a6ecd853f7482c30fa3b21fca689f3317cebde09c0390
7f514641d85bdd829961214ad84b22ab85da69942fd08c7b4877357447297799
87e2dac622b380b6868411bb069b312a2706d2eadb047f58605bc041d949f440
948961ee4aaedab07897f8b85b44f22b24f7274544e092f9fb3ca6abf81ae4b5
9d9db5b5989a0fb87badb28f9fc8a176234ed635d09b0a7ccca8b330ef2f24b7
a75ca621267c58c9e8eb8b55b1ff5cce300730a02bee71f03185757c479fa9f0
b691bcc1f81d08063191b9d80717bbecfdae7ba83f1237e75b1d9e052685c21f
d1ed1008379f13d46d410adc34c886e8dd6624ffbdfeefe48e32f32954f210b8
f2ce43e8f451d32b98ff19814e856552cf384d3732b66a59e04f9000997d655d
f2d6f5ace027e74338fd74ea8ff642c6dcc5a80c59d0e2f0282522c14507ea31

evilclippy
1581b2159f11c04fa318be2b25f26cb35806243e1130b62bbe635ac7b67cf944
50b7e9d587ab58ffba9548b7dc3d3ccc95007f0d653707a28eddc25fe768201f
21c72137c2210301312edc954cca3fcbc91fffe85b8593264a435abeed37979e
e9c03dc432f00af0ecf825a714d56eb57b48fca4bccd1dc845e7ced61071f941
6066d2c77c86dcb0e802b0420b37aa8eabc0a8bd3d0e9b30aae6ced21080dbff
2e9111ce93f4a1aa0911bea14b6d37998d8f847b0d0b950204e7d25e265611d1
d2e479a6720dad2b9ff92d09a68242e8702d0c7b996bdfc84bb2820182fa19b0
e31f43f734443473bf2566d5a6f56a7a903813518d2a7735162fc008cce6d7d6
5b8c8dbf701d78d4edf4221a88e1fac0d2b9184c39bf6b1f29f8132156d0a4aa
357de9450813429f83ada806a4c60670fc5b50f8fcc2d2114e5f2715defc23ef
c351b23c7bdec9e1d0d0046ea0dc043a9f2c87e68293e68317435c11c6fd89db