Excel(ent) Obfuscation: Regex Gone Rogue
NetmanageIT OpenCTI - opencti.netmanageit.com
SUMMARY :
A new Excel-based attack technique leverages recently introduced regex functions for advanced code obfuscation. The proof-of-concept demonstrates how malicious actors can use REGEXEXTRACT to hide PowerShell commands within large text blocks, significantly reducing antivirus detection rates. This method outperforms traditional obfuscation techniques, dropping VirusTotal detections from 22 to just 2. The approach also evades heuristic analysis tools like OLEVBA. While currently limited by Microsoft's default macro security and the functions' limited availability, this technique could potentially be combined with more sophisticated attack methods as it becomes more widely accessible.
OPENCTI LABELS :
powershell,excel,obfuscation,evasion,macro,vba,regex,regexextract
Open in NetmanageIT OpenCTI Public Instance with below link!
Use public read only username and password on login page.
NOTE : Use Public READ only user credentials on login page banner.
Excel(ent) Obfuscation: Regex Gone Rogue