Threat Research

Excel(ent) Obfuscation: Regex Gone Rogue

Deepinstinct
Excel(ent) Obfuscation: Regex Gone Rogue
EXTRACT IOC
Microsoft researchers demonstrated a novel obfuscation technique leveraging new Excel regex functions to evade detection of malicious VBA macros in Office documents. This method significantly reduces antivirus detection and bypasses heuristic analysis tools, posing a growing threat to endpoint security. #MicrosoftExcel #MicrosoftOffice

Keypoints

  • Cybercriminals frequently exploit Microsoft Office documents, such as Word and Excel files, due to their widespread trust and capability to embed malicious macros and external code links.
  • Microsoft recently introduced regex functions in Excel that facilitate complex text parsing and manipulation, which can be weaponized for obfuscating malicious code within VBA macros.
  • A proof-of-concept demonstrated how regex functions can dynamically reconstruct malicious PowerShell commands from hidden text to evade detection by both signature-based antivirus and heuristic analyzers.
  • VirusTotal detections dropped drastically from 22 vendors flagging the plain-text macro to only 2 vendors detecting the regex-obfuscated variant, highlighting the enhanced evasion capability.
  • Standard macro analysis tool OLEVBA failed to identify high-risk indicators in the regex-obfuscated macros because critical strings were never present in plaintext.
  • This obfuscation technique remains limited currently by macro execution default blocks and the early availability of regex functions to Beta Channel users, but risks will escalate as deployment expands.
  • Defenses such as strict macro policies, advanced behavioral endpoint protection like Deep Instinct, application control, and network monitoring are recommended to mitigate these novel threats.

MITRE Techniques

  • [T1059.001] PowerShell – Used VBA macros to execute PowerShell commands that download and run remote batch files. “…uses the ‘WScript.Shell’ object to execute PowerShell commands…”
  • [T1140] Deobfuscate/Decode Files or Information – Employed regex functions to dynamically reconstruct obfuscated malicious code at runtime, evading static and heuristic detection. “…this approach stores and dynamically reconstructs malicious code components using regular expression pattern matching…”
  • [T1204] User Execution – Relied on social engineering tactics to trick users into enabling macros despite default security blocks. “…users are tricked into enabling features like macros…”
  • [T1566] Phishing – Used familiar Office document formats like invoices and resumes to deliver malicious payloads via phishing attacks. “…since Office files are familiar to users and often appear legitimate…they’re highly effective tools in phishing and social engineering attacks.”

Indicators of Compromise

  • [File Hash ] Malicious VBA macro-enabled Excel files used in proof-of-concept – dedbe856891dd633ce3dd66ecc120ef4f1ae0a61a37dbb4cc6a59f7eae7019d9, 2c99e702609d549440952ef72f2386a74e0da1462df65ab4206f44c94e8dbc72, and 5af1bd3d95e6307d95e9973aa4a084ae210f9038cbea2235d14b02d97abd4f2b
  • [Domain ] Hosting remote payloads – Pastebin was used to host and download the batch files executed by PowerShell commands.

Read more: https://www.deepinstinct.com/blog/excellent-obfuscation-regex-gone-rogue

Views: 39

Tags: PHISHING, EMAIL, CLOUD, EXPLOIT, EXFILTRATION, SOCIAL ENGINEERING, TOOL, PERSISTENCE