Stats & Trends
David Bisson
May 2018

Researcher Runs Coinhive Cryptominer in Excel Just Days After Microsoft Announces JavaScript Custom Functions

javascript-excel-custom-functions-malware

Within days of Microsoft's announcement that custom JavaScript functions are coming to Excel, one researcher's cryptomining PoC suggests security concerns are well-justified.

Microsoft made big news at 2018 Build when it announced JavaScript custom functions for Excel. Developers can use custom functions to work alongside and thereby potentially extend Excel's built-in formulas including =SUM() and =LOOKUP(). When created, the functions will work on a PC, Mac, Excel online, and everywhere else add-ons work.

Michael Saunders and Johnnie Thomas, PM managers for Excel, explained in a blog post that the move is a response in part to Office developers who have been wanting to write JavaScript custom functions for some time in order to perform mathematical calculations, retrieve information from the web, and stream live data in Excel. That's not to say developers currently lack the ability to use scripts within Excel. The Office program does support Visual Basic for Applications (VBA), after all, and some developers are urging Microsoft to support Python, too. Even so, JavaScript custom functions broaden the types of things developers can do in Excel.

Developers can create a custom function at https://aka.ms/customfunctions. As discussed in a detailed overview guide, this building process ultimately creates several files including a .JS containing the custom function code, a .JSON that describes the function to Excel, and a .HTML file containing a <Script> reference to the .JS file. A .XML file is responsible for telling Excel the location of these three resources.

Here's a custom function in action:

excel-custom-function

The code for this function, named "ADD42," is as follows: 

function ADD42(a, b) {
   return a + b + 42;
}

Formula for disaster?

JavaScript custom functions will undoubtedly expand developers' toolsets in Excel. Of course, not all developers are benevolent in nature, which means the new capabilities could benefit bad actors, too. Security blogger and researcher Graham Cluley instantly recognized this possibility.

“I can think of a few more examples that maliciously-minded developers might be keen to try out. But hey, nothing bad could come of this, surely!”

Graham Cluley, "Bad Guys Have Something New to Play With! Microsoft Excel Adds Support for JavaScript" 

It wasn't long before others were voicing similar concerns.

Cryptomining from Excel

Building off that last tweet, security researcher Charles Dardaman offered to buy anyone a drink if they could present cryptocurrency mining within Excel at the next Dallas Hackers meeting.

This offer piqued Dardaman's curiosity about the feasibility of running a program like Coinhive, a malicious Monero miner, within Excel. So the security researcher got to work. As he recounted in a blog post published on his personal site:

I started to read Microsoft’s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.

Dardaman set Coinhive to run at threshold of 50, meaning it would use 50 percent of a computer's CPU power whenever someone opened the document. He could have specified the malicious miner to use even more resources. Doing so could have raise a red flag whenever someone tried to access the document, however.

As he told Bleeping Computer, the security researcher was surprised at how well the custom function for Coinhive persisted. He noted that, "if I add the function in and then save the Excel sheet when I reopen it will automatically run the function again."

Attacks to come and precautions to take

At this time, Dardaman's program is just a proof-of-concept and is not a viable attack option (among other restraints, the JavaScript custom functions feature is currently only available to members of Microsoft's Office Insiders program). But given the ease and speed with which he created the custom function for Coinhive, the security researcher anticipates bad actors will use these capabilities to develop new ways of attacking users.

JavaScript files are already the second-most prevalent type of malicious attachment used in spam campaigns, and there are multiple variants of ransomware and other malware that are pure JavaScript. Attackers don’t need to try very hard to come up with possibilities.

For those reasons, Dardaman feels enterprises need to take adequate steps to prepare themselves:

If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.

Depending on your organization's needs, options you may want to consider are restricting the ability to run scripts or disabling Windows Script Host (which JavaScript and VBScript scripts rely on), altogether.  

Dardaman concluded by saying it took him some time to get JavaScript running in Excel, but that he anticipated this barrier of entry would shrink in size as JavaScript moves deeper into the full Office build. If and when that happens, the security researcher pledged to take a closer look at this particular method of attack.

David Bisson

David Bisson

David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.