“Evil Clippy” helps malicious MS Office documents bypass antiviruses

Cybersecurity researchers inhaled new life in famous helper from Microsoft Office that is famous as Clippy.

“Evil Clippy” – this is how new instrument called – can significantly complicate detection of malware macros.

It is able to modify documents on the step of files formatting. Finally comes malware version of the document that can bypass detection with different antivirus engines. To get this result, new instrument uses undocumented functions and specifications.

Evil Clippy created by Danish company Outflank that tests cybersecurity. Instrument was developed when one of company’s clients was tested for the ability to resist cyberattacks.

Evil Clippy can work in Windows, macOS and Linux. Instrument supports formats Microsoft Office 97 – 2003 (.DOC и .XLS files), 2007 and newer (.DOCM и .XLSM files).

Technique that is used by the Evil Clippy for generation of malware documents is called VBA-stomping and was described by Walmart cybersecurity team. Its meaning is in substitution of the original VBA-script on “pseudocode”.

«Since malicious macros are one of the most common methods for initial compromise by threat actors, proper defense against such macros is crucial. We believe that the lack of adequate specifications of how macros actually work in MS Office severely hinders the work of antivirus vendors and security analysts. This post serves as a call to Microsoft to change this for the better.», – sais in Outflank

To avoid detection by antivirus products new infecting tool substitutes malware macros code by a fake script. As a result malware document that initially was detected by 30 antiviruses, could bypass majority of them with the use of Evil Clippy.

Source: https://nakedsecurity.sophos.com