Ribbon Cutting – Running Macros with CustomUI Elements

PhishMe® Research has generally seen macro execution in PowerPoint tied to specific actions and events, such as a mouse interaction with an object or custom actions. But the “Ribbon Cutting” technique uses a different method; it runs macro code by creating a UI callback that is triggered when the file is opened. Although in the example below we use PowerPoint, the technique can be used in other Office applications that support ribbon customizations.

Starting with Microsoft Office 2007, Office applications changed to use the Ribbon UI for navigation and tooling. This new UI was implemented in a way that allows application developers to extend the functionality and create customizations to Office applications or documents. The feature can be used to automatically execute macro code when a presentation file is opened, by including an embedded ribbon customization within the document.

Creating the Ribbon Element

To create a custom ribbon element, we can follow the MSDN Ribbon Specification which allows a developer to define a custom element using XML markup (see https://msdn.microsoft.com/en-us/library/aa942866.aspx). For the purposes of code execution, all that is needed is an empty ribbon element with an onLoad event and callback. The callback is user-defined; so, it can be any method within a macro module and does not need to be tied to a specific event such as onOpen or onClose.

By default, the new custom element will be located within the file customUI/customUI.xml.

The customization is referenced within the document’s relationships, which are located in the file _rels/.rels. The relationship includes the following standard attributes:

Type: The type of the relationship object.

Target: The location of the customUI file.

Id: Unique Id for the element.

In cases where the default naming has been changed, the reference can be identified by the relationship type (see http://schemas.microsoft.com/office/2006/relationships/ui/extensibility).

Once the PowerPoint file is opened, the user will see the standard Office prompt to enable active content, but—unlike with other macro execution methods seen with PowerPoint—once content is enabled, the macro code will be executed immediately without any additional user interaction with the presentation.  This process is demonstrated in the GIF below:

Detecting CustomUI Elements

Defenders can detect the presence of the object by inspecting the contents of the zip archive and by looking at the reference types defined within the relationships XML. Since the ribbon feature was implemented in Office 2007, saving a document using the binary legacy format (OLE) will remove any UI customizations from the document.  Additionally, PowerPoint Show files will not automatically trigger the macro as the activate content option is not visible when in full screen show mode.  PhishMe® Research also suggests the following YARA rule:

rule PM_CustomUI_Element{

strings:

$header = “PK”

$uidef = “customUI/customUI.xml”

$mac = “vbaProject.bin”

$uiref = “office/2006/relationships/ui/extensibility”

condition:

($header at 0 and $uidef and $mac) or $uiref

}

Conclusion

This is another example of using the extensibility features of Office to execute malicious content. Although there is information about development of customUI elements for Office applications, we have not seen much research in using these methods to trigger malicious content. Existing PhishMe Triage™ customers are protected with the rule PM_CustomUI_Element.

Don’t miss another threat – stay on top of emerging phishing and malware threats and attacks, all delivered straight to your inbox completely free. Subscribe to PhishMe® Threat Alerts today.

References

https://msdn.microsoft.com/en-us/library/cc313070(v=office.12).aspx

Threat Actors Use Advanced Delivery Mechanism to Distribute TrickBot Malware
Threat Actor Employs Hawkeye Malware with Multiple Infection Vectors

Leave a Reply