By: Jason Zhang, Stefano Ortolani – VMware Threat Analysis Unit
Office documents, such as Word and Excel files, can be password-protected using a symmetric key encryption mechanism involving one password which is the key to both encrypt and decrypt a file. Malware writers use this key as an additional evasion technique to hide malicious code from anti-virus (AV) scanning engines. The problem is that encrypting a file introduces the disadvantage of requiring a potential victim to enter a password (which is normally included in the phishing or spam email containing the encrypted attachment). This makes the email and the attachment very suspicious, thus greatly reducing the chance that the intended victim will open the encrypted malicious attachment.
The good news (for the attackers) is that Microsoft Excel can automatically decrypt a given encrypted spreadsheet without asking for a password if the password for encryption happens to be VelvetSweatshop. This is a default key stored in Microsoft Excel program code for decryption. It’s a neat trick that attackers can leverage to encrypt malicious Excel files in order to evade static-analysis-based detection systems, while eliminating the need for a potential victim to enter a password.
The embedded VelvetSweatshop key in Excel is not a secret. It has been widely reported for many years 1, 2. This leads to an inevitable question: how effective are modern AV scanning engines at dealing with encrypted malicious Excel files?
In this blog post, we attempt to answer the question by looking into some malicious Excel files associated with a series of recent attacks that exploit the not-so-new CVE-2017-11882, detected by VMware NSX. First, we present some statistics and telemetry data for the CVE-2017-11882 exploit. We then take some Excel samples exploiting CVE-2017-11882 from recent attacks, and check how the detection rate on VirusTotal changes when the samples are decrypted (if the samples found in the wild were initially encrypted) or encrypted (if the samples found in the wild were initially not-encrypted).
The CVE-2017-11882 Exploit
CVE-2017-11882 is a memory corruption vulnerability in Microsoft Equation Editor3. Though it has been patched for a few years, it remains a favorite exploit for threat actors carrying out attacks4, 5. Figure 1 shows the file type distribution of the exploit based on the last six months of telemetry data from VMware NSX. As shown, the attackers used various file types with and without encryption to exploit the vulnerability. It’s not unusual that the adversaries attempted to evade defences by exploring different file types with various techniques. The statistics show that encrypted Word files dominated the chart with 47% of the attacks, followed by non-encrypted Excel files (25%) and encrypted Excel files (11%).
The chart implies that encrypted Excel files still play an important part in CVE-2017-11882-related attacks. Figure 2shows the detection timeline of encrypted Excel files exploiting the vulnerability in the past few weeks, which affected some of our customers. The number of detections varies, but we saw such attacks every week during this period.
Interestingly, all the samples were encrypted with the same password, VelvetSweatshop, as the one shown in Table 1.
Table 1: An encrypted Excel sample exploiting CVE-2017-11882.
|File name||Proforma Invoice.xlsx|
The OLE objects inside the sample can be visualized using the OLE parsing tool from Microsoft6, as shown in the following figure. The root entry highlighted in blue indicates the file is encrypted. In this case, Microsoft Excel can automatically open the file using the default VelvetSweatshop key.
We performed our encryption test in two parts. First, we selected 10 encrypted samples detected by VMware NSX (as listed in Appendix Table 2). All the samples were initially encrypted with the VelvetSweatshop password and detected by NSX on or about October 9, 2020.
Then, we decrypted the samples to determine how the detection rate changes on VirusTotal with or without encryption. Figure 4 shows the detection rate on VirusTotal for the 10 samples before and after decryption. The number of AV scanning engines triggered on VirusTotal is around 60 for each sample. As we can see, the detection rate for the encrypted samples is 55% – 60%, which corresponds to around 33 – 36 AV engines, except for one sample which has a detection rate below 40%. The detection rate for the decrypted samples is 40% – 50%, which is slightly poorer than the encrypted ones. The likely reason is that the encrypted samples have been known to the AV scanning engines for over two weeks, since they were released to the public on October 9, 2020, which provides sufficient time for the AV vendors to improve their detection. On the other hand, when we decrypted the samples and uploaded them to VirusTotal on October 27, 2020, the freshly decrypted samples were able to break certain signature-heavy AV engines.
In the second part of the test, we used 10 malicious but non-encrypted Excel samples found in the wild, as listed in Table 3. All of these samples exploit the CVE-2017-11882 vulnerability as well. We then encrypted the samples with the infamous password VelvetSweatshop.
It’s worth noting that Microsoft introduced their first Office product over three decades ago, and the old versions of Office used less powerful encryption algorithms, as compared to more recent versions introduced since 2013. In Office 2013, 2016, and 2019, Microsoft employs AES-128 or AES-256 for encryption7. We tested both the AES-128 and the AES-256 encryption algorithms. The test procedure is outlined below:
- We selected 10 non-encrypted Excel samples exploiting CVE-2017-11882 found in the wild, as listed in Table 3;
- We applied AES-128 and AES-256 encryption, as appropriate, using the sample password VelvetSweatshop. The resulting encrypted 20 samples are listed in Table 4 and Table 5 in the Appendix;
- We checked the samples’ detection rate on VirusTotal before and after applying encryption.
The test results are shown in Figure 5. As we can see, the non-encrypted samples had an associated detection rate in the range of 50% – 65% (blue line) from approximately 60 AV scanning engines. In contrast, the detection rate for the samples encrypted with AES-128 had detection rates of 15% – 30%, which is more than 50% lower than the detection rate for the non-encrypted samples. Interestingly, the AES-256 encrypted samples seem to evade detection from most of the AV engines, with less than 15% of the scanners able to block the encrypted samples. This implies that most of the AV scanning engines become less efficient in blocking samples with stronger encryption, though the very same encryption password VelvetSweatshop is used.
To find out how individual AV vendors perform with the test, we examined test results from 12 well-known AV scanning engines, termed AV-0, AV-1, …, AV-11. The results are shown in Figure 6, where each colored segment in each bar represents the number of detections by a particular AV engine for the 10 test samples in the category. As we can see, 5 AV engines completely failed when tested with AES-128 or AES-256 encrypted samples. Only one engine was able to block all samples, either with or without encryption, and that’s AV-3. AV-0, AV-3, and AV-7 managed to block most of the samples in each category, with only one sample missed. AV-11 detected 9 samples, whether the samples were protected with AES-128 or AES-256 encryption, but it missed 4 non-encrypted samples. The other two engines, AV-2 and AV-5, blocked all non-encrypted samples and samples with AES-128 encryption, but completely missed samples with AES-256 encryption.
In this report, we investigated the effectiveness of modern AV scanning engines in blocking malicious Excel files when encrypted with the default VelvetSweatshop password that’s embedded in Microsoft Excel program code. Our tests using encrypted Excel samples from recent attacks exploiting CVE-2017-11882 demonstrated that many AV engines available on VirusTotal failed to decrypt and block the encrypted samples, even though the encryption password is the infamous VelvetSweatshop key. Further, as both Figure 5 and Figure 6 show, the evaluated AV engines become even less effective when stronger encryption (with the same encryption key) is applied to the test samples. As a result, to defeat malware writers using the trick of encrypting malware with the default VelvetSweatshop key in Excel, AV scanning engines need to be improved and robust enough to successfully decrypt and block such encrypted malicious files.
|||M.-J. Kroese, “Microsoft Office and it’s VelvetSweatshop password protected files,” 22 8 2012. [Online]. Available: https://meindertjan.com/2012/08/22/microsoft-offic-and-its-velvetsweatshop-password-protected-files/.|
|||P. Baccas, “When is a password not a password? When Excel sees “VelvetSweatshop”,” 11 4 2013. [Online]. Available: https://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/.|
|||Microsoft, “CVE-2017-11882 | Microsoft Office Memory Corruption Vulnerability,” 14 11 2017. [Online]. Available: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882.|
|||S. Sarkar and S. Ortolani, “Evading Static Analyzers by Solving the Equation (Editor),” 12 7 2018. [Online]. Available: https://www.lastline.com/labsblog/evading-static-analyzers-by-solving-the-equation-editor/.|
|||V. Pidathala, “Equation Editor—Attackers continue to exploit CVE-2017-1182….,” 30 6 2020. [Online]. Available: https://www.menlosecurity.com/blog/equation-editor-attackers-continue-to-exploit-cve-2017-1182.|
|||Microsoft, “Announcing OffVis 1.0 Beta,” 31 07 2019. [Online]. Available: https://msrc-blog.microsoft.com/2009/07/31/announcing-offvis-1-0-beta/.|
|||O. Afonin, “Microsoft Office encryption evolution: from Office 97 to Office 2019,” 31 10 2019. [Online]. Available: https://blog.elcomsoft.com/2019/10/microsoft-office-encryption-evolution-from-office-97-to-office-2019/.|
Table 2: SHA256: Encrypted Excel samples exploiting CVE-2017-11882.
Table 3: SHA256: Not-password-protected Excel samples exploiting CVE-2017-11882.
Table 4: SHA256: AES-128 encrypted with password ‘VelvetSweatshop” for the samples in Table 3.
Table 5:SHA256: AES-128 encrypted with password ‘VelvetSweatshop” for the samples in Table 3.