How malicious Office files and abused Windows privileges enable ransomware

McAfee recently released research on the Cuba ransomware. These attackers have pivoted to leaking data to extort funds from the firms they are attacking. As is typical these days, the attackers had access to the network before they activated the ransomware. This allowed them to examine the network and review how best to attack the network.

The attackers used PowerShell commands to move laterally in the network. PowerShell was called from the SysWOW64 folder using the command Powershell -windowstyle hidden to hide it from the user. The ransomware looked for specific languages, for example Russian, to provide flexibility for the attacker. The attackers then reviewed what each workstation has access to and the last connection to each workstation to gain more targets. The attackers also used the SeDebugPrivilege process to elevate privileges. The attack sequence disabled certain services including ones related to SQL, email and other communication processes.

Attackers’ favorite Windows privileges

Windows privileges are often used and abused in other attacks:

• SeCreateTokenPrivilege creates a token object but can be used to escalate privileges.
• SeBackupPrivilege causes the system to grant all read access control to any file. Attackers can use it to collect information about the network.
• SeDebugPrivilege is required to debug and adjust the memory of a process owned by another account. Attackers use this to evade detection and obtain credential access.
• SeLoadDriverPrivilege is required to load or unload a device driver. Attackers often use this in defense evasion.
• SeRestorePrivilege is required to perform restore operations. This causes the system to grant all write access control to any file. This can be used by attackers for persistence.
• SeTakeOwnershipPrivilege is required to take ownership of objects. Attackers use it to gain persistence, evade detection and collect more information about the network.
• SeTcbPrivilege identifies its holder as part of the trusted computer base. Attackers use these for privilege escalation.
• ScDebugPrivilege is used both by software such as antivirus as well as attackers.

A Palantir blog post recommends auditing privileges assigned to new logons to identify privilege access tokens that attackers create. The best way to identify the misuse is to understand your network and set alert triggers when abnormal events occur.

Malicious Office documents most common attack vector

Unfortunately, McAfee did not identify the original Cuba ransomware attack vector, but ransomware is often triggered by malicious Office documents. A Netskope blog recently pointed out the use of weaponized Office documents to download and execute externally hosted payload. The malicious documents appear to be from Docusign, electronic signature service. EtterSilent uses Excel 4.0 macros stored inside a hidden sheet instead of VBA macros.

Malicious Excel documents represent 61.1% of the Office documents used in ransomware attacks. Word documents were next in use and PowerPoint were the least used in attacks. As Netskope noted, “The volume of malicious Microsoft Office documents increased by 58% as attackers are increasingly using malicious Office documents as Trojans to deliver next stage payloads, including ransomware and backdoors. Using cloud app delivery to evade legacy email and web defenses, malicious Office documents represent 27% of all malware downloads detected and blocked by the Netskope Security Cloud.”

How to defend against malicious Office documents

What options do you have to protect yourself from malicious Office documents? First, block macros. Determine who really needs Word and Excel macros. Put in a group policy or Intune policy to block macros for users with no need for them and place those users into groups or organizational units to protect these users. Here’s how:

• Ensure that you have downloaded the proper ADMX file from Microsoft.
• Open the Group Policy Management Console and right-click the Group Policy object you want to configure.
• Select “Edit”.
• In the Group Policy Management Editor, go to “User configuration”.
• Select “Administrative templates”.
• Select “Microsoft Word 2016” (or the version you have deployed)
• Select “Word options”.
• Select “Security”.
• Select “Trust Center”.
• Open the “Block macros from running in Office files from the Internet” setting to configure and enable it.

Ensure that users who need to run macros open and run only those that are signed. You can also upgrade to a Microsoft 365 E5 license to further enable Application Guard for Office 365. You must be on Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later. To enable:

• Select “Microsoft Defender Application Guard” under Windows Features and select “OK”. You will be asked to reboot the computer to fully enable the feature.
• Search for Microsoft Defender Application Guard in Managed Mode, a group policy in Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender Application Guard.
• Enable either policy 2, “Enable Microsoft Defender Application Guard for isolated Windows environments only”, or 3, “Enable Microsoft Defender Application Guard for Microsoft Edge and isolated Windows environments”. You will also need to have hardware that supports virtualization. On older computer platforms you may need to enable this in the BIOS.

Once all the settings and prerequisites are in place, opening an untrusted Office document–for example, a file with an unsigned macro coming from the internet–a message appears on the bottom of the splash screen indicating that “To keep you safe, we’re opening this document in Application Guard”.