Presented at
Black Hat USA 2021,
Aug. 5, 2021, 11:20 a.m.
(40 minutes).
Excel 4.0 (XL4) macros are a popular attack vector for threat actors, as security vendors struggle to play catchup and detect malicious macros properly. These macros provide attackers with a simple and reliable method to gain a foothold in a target network. They represent an abuse of a legitimate feature of Excel and do not rely on any vulnerability or exploit. For many organizations, blacklisting Excel 4 macros isn't a viable solution, and any signature to flag these samples must be precise enough not to trigger on files that leverage this feature legitimately.
As XL4 macros represent somewhat 'uncharted territory', malware authors make discoveries daily, pushing the boundaries of this technique and identifying ways to evade detection and obfuscate their code. While Microsoft recently introduced novel mechanisms to monitor the execution of these macros, obfuscation based on environmental checks and time triggers is still challenging.
To solve these issues, we developed a novel technique that applies Symbolic Execution to the analysis of Excel 4 macros. Symbolic Execution is a program analysis technique in which the values of inputs to a program are kept abstract (i.e., symbolic). During execution, it is possible to characterize the various paths taken by a program as a set of constraints on the inputs' values. By leveraging solvers, given a particular path, it is possible to automatically derive the inputs necessary to reach a specific point in a program. This "magic" allows, for example, the automated derivation of values that would deobfuscate a specific sample, savings hours of manual work.
In this presentation, we introduce a new tool, called Symbexcel, that implements a Symbolic Executor for Excel 4 macros and various plugins that support the analysis of highly obfuscated and evasive malicious samples.
Presenters:
-
Stefano Ortolani
- Threat Researcher, VMware
Stefano Ortolani is Threat Research Lead at VMware, formerly Director of Threat Research at Lastline, where he joined in 2015 as a security researcher. He spends his time researching bespoke approaches to investigate and classify cyber tradecraft, and making sure none are left uncharted. Contributor to product development, he is also a regular speaker at technical conferences. Prior to that he was part of the Global Research and Analysis Team at Kaspersky Lab, in charge of fostering operations with CERTs, governments, universities, and law enforcement agencies, as well as conducting research of the global threat landscape. He received his PhD in computer science from VU University Amsterdam.
-
Nicola Ruaro
- Researcher, UCSB
Nicola Ruaro is a graduate student at the University of California in Santa Barbara. His research interests revolve around the areas of binary analysis and malware analysis. He loves playing Capture The Flag (CTF) competitions and is a proud member of the hacking team Shellphish.
-
Fabio Pagani
- Researcher, UCSB
Fabio Pagani is a postdoctoral researcher in the Computer Science Department at the University of California, Santa Barbara (UCSB). His current research interests focus on several aspects of systems security: automated vulnerability discovery, human-assisted cyber reasoning systems, and malware analysis are all topics that spark his curiosity. He earned a PhD at EURECOM (France), where he investigated how non-atomic acquisitions impact the consistency of memory dumps, how to discover and to assess the quality of memory forensics heuristics, and how to automatically generate profiles for memory forensics.<br>
-
Giovanni Vigna
- Sr. Director of Threat Intelligence, VMware
Giovanni Vigna is a Professor in the Department of Computer Science at the University of California in Santa Barbara, and the Sr. Director of Threat Intelligence at VMware. Giovanni Vigna is also the founder of the Shellphish hacking group, who has participated in more DEF CON CTF competitions than any other group in history. His research interests include malware analysis, vulnerability assessment, the underground economy, binary analysis, web security, and the applications of machine learning to security problems. He is known for organizing and running, since 2003, a yearly Capture The Flag hacking contest, called iCTF, that every year involves dozens of teams around the world. He is an IEEE Fellow and an ACM Fellow.
Links:
Similar Presentations: