Microsoft made big news at 2018 Build when it announced JavaScript custom functions for Excel. Developers can use custom functions to work alongside and thereby potentially extend Excel's built-in formulas including =SUM() and =LOOKUP(). When created, the functions will work on a PC, Mac, Excel online, and everywhere else add-ons work.
Michael Saunders and Johnnie Thomas, PM managers for Excel, explained in a blog post that the move is a response in part to Office developers who have been wanting to write JavaScript custom functions for some time in order to perform mathematical calculations, retrieve information from the web, and stream live data in Excel. That's not to say developers currently lack the ability to use scripts within Excel. The Office program does support Visual Basic for Applications (VBA), after all, and some developers are urging Microsoft to support Python, too. Even so, JavaScript custom functions broaden the types of things developers can do in Excel.
Developers can create a custom function at https://aka.ms/customfunctions. As discussed in a detailed overview guide, this building process ultimately creates several files including a .JS containing the custom function code, a .JSON that describes the function to Excel, and a .HTML file containing a <Script> reference to the .JS file. A .XML file is responsible for telling Excel the location of these three resources.
Here's a custom function in action:
The code for this function, named "ADD42," is as follows:
function ADD42(a, b) {
return a + b + 42;
}JavaScript custom functions will undoubtedly expand developers' toolsets in Excel. Of course, not all developers are benevolent in nature, which means the new capabilities could benefit bad actors, too. Security blogger and researcher Graham Cluley instantly recognized this possibility.
Graham Cluley, "Bad Guys Have Something New to Play With! Microsoft Excel Adds Support for JavaScript"
It wasn't long before others were voicing similar concerns.
I see the malware coming
— Damian (@Damian1338) May 8, 2018
Javascript in Excel pic.twitter.com/39jkjLfzgj
— Amanda Rousseau (@malwareunicorn) May 8, 2018
I love how the windows kernel, hardware, and edge teams are actively trying to bulletproof the OS with privilege separation and mitigation out the ass, and the Office team is almost actively sabotaging that.
— hedge.py (@hedgeberg) May 8, 2018
Coinhive.xlsx has a nice ring to it.
— Bad Packets Report (@bad_packets) May 8, 2018
Building off that last tweet, security researcher Charles Dardaman offered to buy anyone a drink if they could present cryptocurrency mining within Excel at the next Dallas Hackers meeting.
I'll buy a beer to whoever presents cryptocurrency mining in Excel at the next @Dallas_Hackers
— Chase Dardaman (@CharlesDardaman) May 8, 2018
This offer piqued Dardaman's curiosity about the feasibility of running a program like Coinhive, a malicious Monero miner, within Excel. So the security researcher got to work. As he recounted in a blog post published on his personal site:
I started to read Microsoft’s actual documentation on how to implement JS within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5mb down internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.GOT IT! #coinhive #Excel #Microsoft #Malware pic.twitter.com/QvHkgnGFkQ
— Chase Dardaman (@CharlesDardaman) May 8, 2018
Dardaman set Coinhive to run at threshold of 50, meaning it would use 50 percent of a computer's CPU power whenever someone opened the document. He could have specified the malicious miner to use even more resources. Doing so could have raise a red flag whenever someone tried to access the document, however.
As he told Bleeping Computer, the security researcher was surprised at how well the custom function for Coinhive persisted. He noted that, "if I add the function in and then save the Excel sheet when I reopen it will automatically run the function again."
At this time, Dardaman's program is just a proof-of-concept and is not a viable attack option (among other restraints, the JavaScript custom functions feature is currently only available to members of Microsoft's Office Insiders program). But given the ease and speed with which he created the custom function for Coinhive, the security researcher anticipates bad actors will use these capabilities to develop new ways of attacking users.
JavaScript files are already the second-most prevalent type of malicious attachment used in spam campaigns, and there are multiple variants of ransomware and other malware that are pure JavaScript. Attackers don’t need to try very hard to come up with possibilities.
For those reasons, Dardaman feels enterprises need to take adequate steps to prepare themselves:
If you are a Blue Teamer, like me, wondering how to defend against such an attack try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JS use, but it will probably be better to just block it before your company becomes dependent upon it.Depending on your organization's needs, options you may want to consider are restricting the ability to run scripts or disabling Windows Script Host (which JavaScript and VBScript scripts rely on), altogether.
Dardaman concluded by saying it took him some time to get JavaScript running in Excel, but that he anticipated this barrier of entry would shrink in size as JavaScript moves deeper into the full Office build. If and when that happens, the security researcher pledged to take a closer look at this particular method of attack.
David Bisson is an infosec news junkie and security journalist. He works as Senior Content Manager, Associate Editor for Tripwire's "The State of Security" blog, Contributing Editor for IBM's Security Intelligence, and Contributing Writer for Barkly, Palo Alto Networks' Security Roundtable, Gemalto, Venafi, Zix Corp, AlienVault, and others.
Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.
