Recently, the SecureState researchers discovered that Gmail’s security features for detecting malicious macros can be bypassed only by splitting “trigger words” in half or across rows.
Macros are script snippets attached to Office documents, capable of executing and automating a series of tasks, in case the user allows. They were created to simplify different tasks at work, and since their early beginning, the macros have been abused by malware developers to carry out malicious operations which resulted in the installation of malware on targeted systems.
Microsoft managed to block the automatic execution of these scripts, and email providers have started scanning file attachments for documents that contained macro scripts.
According to SecureState, Gmail instantly detects an Office document as malicious if the script uses some sensitive words. After making some tests, Gmail identified an Excel file as malicious when the exploit code contained the word “powershell,” a very powerful Microsoft scripting utility, which macros might call to interact with the underlying Windows OS.
What amazed the experts most was the fact that separating the word, either by placing it on two lines or by splitting it into two strings, bypasses Gmail’s security filter successfully. A hacker who is informed about this trick should only adapt his exploit by separating any calls to the Powershell utility on two separate lines:
Str = “powershe”
Str = Str + “ll.exe -NoP -sta -NonI -W Hidden -Enc JAB3”
In addition, the SecureState’s researcher Mike Benich claims that Gmail detects as malicious any macro scripts inside Excel files that trigger on the “workbook open” function. The security expert says that he was able to bypass the security feature as well, only by moving the exploit code under a button.
The malicious code would not execute as soon as the user enabled macros/editing inside a tainted Excel document, but only after he pushed another button. Considering the fact that Excel files are quite complex, users can click a button to summarize some complex table as a chart, in order to carry out their activities.