Potential Exploitation of Microsoft Office Executables for Malware Download Highlighted
Potential Exploitation of Microsoft Office Executables for Malware Download Highlighted

Image: Mika Baumeister (unsplash)

The roster of LOLBAS files – official scripts and binaries present in the Windows operating system that may potentially be exploited for harmful intentions, is on the brink of inclusion of primary executables for the widely-used Microsoft’s Outlook email service and Access database management tool.

Already, it’s confirmed that the chief executable for the Microsoft Publisher software has the capacity to download payloads from an external server.

LOLBAS, an acronym for Living-off-the-Land Binaries and Scripts, is generally characterized as authorized files that are either inherent to the Windows operating system or downloaded from Microsoft’s platforms.

These authentic tools provide potential openings for exploitation by hackers during post-exploitation activity to download and/or launch payloads without alerting security measures.

Recent investigations reveal that even executables without Microsoft’s signature serve roles beneficial to potential attacks, like reconnaissance, for instance.

Microsoft Office binaries

Currently, the LOLBAS initiative enumerates more than 150 Windows-associated binaries, scripts, and libraries that could aid assailants in executing or downloading harmful files or circumventing lists of sanctioned programs.

Security researcher at Pentera, Nir Chako, a company offering an automated security validation solution, lately initiated the search for new LOLBAS files by scrutinizing the executables present in the Microsoft Office suite.

Upon manually examining them, Chako located three – MsoHtmEd.exe, MSPub.exe, and ProtocolHandler.exe – that qualified as downloaders for third-party files, thus meeting the LOLBAS criteria.

In an interaction with BleepingComputer, the researchers offered a video showcasing MsoHtmEd establishing a connection with the test HTTP server with a GET request, suggesting a trial to download a test file.

Further into his investigation, Chako unearthed that MsoHtmEd could also be employed to execute files.

Spurred by this initial triumph and equipped with the algorithm to locate suitable files manually, Chako crafted a script to automate the verification process, allowing for faster screening of a larger pool of executables.

Chako revealed, through automation, six additional downloaders were uncovered, leading to a total of nine new discoveries, resulting in nearly a 30% augmentation in the official LOLBAS downloaders list.

In a blog post published today, Chako elucidates the enhancements incorporated into the script that facilitated the enumeration of the binaries in Windows and their examination for download abilities exceeding their intended design.

Ultimately, the researcher from Pentera identified 11 new files equipped with download and execute functionalities, which abide by the principles of the LOLBAS project.

The standout files are MSPub.exe, Outlook.exe, and MSAccess.exe, which, according to Chako, a potential attacker or a penetration tester could utilize to download third-party files.

While it’s verified that MSPub has the ability to download arbitrary payloads from an external server, the other two are still awaiting addition to the LOLBAS roster. Their exclusion is due to a technical error, as explained by Chako to BleepingComputer.

Chako admitted to mistakenly submitting three identical Pull requests which resulted in the need for a systematic resubmission to officially incorporate them into the project. Despite this minor administrative mistake, Chako reassured their eventual inclusion into the project.