[ad_1]
The famous Clippy is more than ever at the rendezvous, because security researchers have developed a tool that helps test teams and red security testers to create malicious Microsoft Office documents.
Outflank experts have introduced the tool to BlackHat Asia and in a technical analysis, they explain that the so-called Evil Clippy can bypass antivirus applications using a complex approach that involves a VBA typing.
The researchers explain that this method involves misusing a feature that is not officially documented, namely "the undocumented part of each PerformanceCache module stream contains a compiled pseudo-code (p-code) for the VBA engine.
Evil Clippy, which can run on Windows, Linux and macOS, can hide VBA macros from the GUI editor, sophisticated analysis tools, serve VBA templates stomped via HHTP and set and remove locked / unplayable VBA project protection in Office documents.
"Evil Clippy uses the OpenMCDF library to manipulate MS Office Compound File Binary Format (CFBF) files and is abusing MS-OVBA specifications and functionality. It reuses the Kavod.VBA.Compression code to implement the compression algorithm used in the dir and module flows (see MS-OVBA for the corresponding specifications), "explain the security researchers.
An in-depth look at Evil Clippy can be found on the linked page above.
What Microsoft needs to do
While Evil Clippy may raise particular concerns for Microsoft Office users, the team of security experts notes that the tool is intended to call on the Redmond-based computing giant to strengthen protection against malicious macros in its productivity suite.
"Evil Clippy only touches the surface of the problems resulting from the gap between Microsoft's official specifications on VBA macros (MS-OVBA) and its actual implementation in MS Office. Since malicious macros are one of the most common methods of initially compromising threat actors, an appropriate defense against these macros is crucial, "they explain.
The source code of Evil Clippy is already available on GitHub here.
[ad_2]
Source link