A .CSV file could be a malware carrier and if interpreted by Microsoft Excel it could become a malware executor ! When I personally saw this technique back in 2017 (please take a look to here, here and here ) I was fascinated. A simple and sweet textual file forcing the behaviour of powerful and protected machines: no macros, no Visual Basics, no exploit were involved. Indeed if you have ever installed Microsoft Excel on your Windows box you’d probably know when you click on a common .CSV file a MSExcel is turned on. It turns on, it opens the selected .CSV file and interprets cells contents. But what if an attacker writes malicious contents into one or more cells ? I personally have never received and/or analysed such a droppers until few days ago when it appeared on my spam-box, it quickly became a mandatory analysis for my personal experience :P.

Dropper .CSV

A series of empty fields preceding a final and fake formula piping a CMD.exe command is spawned. By using the bitsadmin technique the attacker downloads a file called now.exe and stores it into a temporary system folder for later execution. In this specific case the downloaded Malware happens to be a variant of NanoCore RAT, but this is not my point for today. If you are interested in the Malware analysis of now.exe please read here.

At that time the attacker forced the Dynamic Data Exchange  (DDE) protocol for interprocess communication supported by Microsoft Excel, LibreOffice and Apache OpenOffice. For example the following formula on OpenOffice will run calc.exe (CVE-2014-3524).

=DDE("cmd";"/C calc";"__DdeLink_60_870516294")

On Microsoft Excel the same result can be reached by introducing the following formula:

=cmd|' /C calc'!A0

While OpenOffice and LibreOffice patched this vulnerability in the following versions: OpenOffice-4.1.1 (ref here) and LibreOffice-4.3.1 (ref here), Microsoft decided to allow this behaviour by introducing two user “warnings”.

Microsoft Excel User Warnings before letting run DDE content

These warnings recommend that the user shouldn’t click  if he does not trust the source of the file…. here we go ! What about if you received this file from google spreadsheet ? Ok, maybe, none in the cybersecurity community will definitely trust a spreadsheet coming from a random GoogleSheet user, but maybe many people out there would trust GoogleSheet without wondering who really sits behind of the shared document.

Google Sheets spreading .CSV dropper

In 2019 the most interesting thing about this technique is the ability to bypass Google filters. By implementing .csv dropper technique an attacker could easily use Google Sheets as a Malware vector. Although Google implements sophisticated gMail and gDrive anti Malware techniques in order to avoid Malware spreading over its amazing technologies, for example: before uploading or downloading a file from gDrive google scans them (ref: here) or avoiding specific file type (.exe, .dll, .zip, etc etc) over gMail (read more here), this time seems to be not as much as “sensible” to such an issue. Google has been alerted about this issue but it confirmed that it’s actually an “Intended Behaviour”.

Google Ticket Changed on Intended Behaviour

Finally an attacker could send a clear link over an instant message platform and/or over eMail asking to open up a Google Sheets suggesting to the victim to open the spreadsheet locally since “MSExcel compatibility issues”. At that time if the victim downloads the Google sheets and opens up locally (with Microsoft), the attacker might infect her box.

I really hope that Google would -at least try- to avoid to be used as an attack vector as it does with many other technologies, but in the meantime please be aware of this issue and if you receive a link to a not working Google Sheets, please do not download it locally.

IOC:

  • Hashes:
    • 5e561bf9e088f8f2b9c0610fb6f61f6d7655f6a0988a0d304452d8fa73a6a628 (.CSV)
    • cd3d1b4d147a198e1a2b7e3f4370998142bf20cbdfdd3d30cf86d65b5bd40f50 (dropped)
  • DOMAINS:
    • http://7bwh.com/wp-content
    • http://7bwh.com/wp-content/plugins/Ultimate_VC_Addons/admin/ifeanyi/now.exe
    • 99grams.ddns.net (c2)