You can hack banks with this Microsoft Excel attack

According to information security audit specialists there is a Microsoft Excel feature called Power Query that could be used by threat actors to inject malware into remote systems. Experts at Mimecast Threat Center described how the vulnerability could be exploited through a proof of concept.

Power Query enables Excel users to embed external data sources in Office service worksheets. The security firm raised an attack method to launch a remote DDE (Dynamic Data Exchange) attack against a spreadsheet to deliver a malicious payload and control it through the compromised function.

According to information security audit specialists, Power Query could also serve to launch complex and hard-to-detect attacks by combining several vulnerable vectors. By exploiting this feature, hackers could attach malware to a data source outside Excel and load the content into the spreadsheet when the user opens it.

Experts mention that Microsoft collaborated with them in the process of disclosing the flaw; however, the company has decided not to release a fix for this vulnerability. Instead of fixing the bug with a patch, Microsoft suggests to users an alternative method to mitigate risks that involves spreading a security alert for application protection when using the DDE feature.

One of the possible attack vectors begins with hackers hosting an external web page on an HTTP server containing the malicious payload that will be delivered to the spreadsheet. “The HTTP server listened locally on port 80 and served DDE content in response when a spreadsheet request was received,” information security audit experts said.

If the user chooses to allow external data to be loaded into the Excel worksheet cell, the attack begins. According to the experts of the International Institute of Cyber Security (IICS), to make the DDE run, the user must double-click the cell that loads the DDE and then click again to release the load. Those operations will activate the DDE and launch the payload that was received from the attacker.