2017-11-20 07:27 PM
a) It looks like Malware server does not process CSVs as a suspect filetype at all. a. As per this and these https://www.we45.com/2017/02/14/csv-injection-theres-devil-in-the-detail/ https://pentestmag.com/formula-injection/ https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/CSV%20injection https://www.contextis.com/blog/comma-separated-vulnerabilities http://www.exploresecurity.com/from-csv-to-cmd-to-qwerty/ b. CSV/TSV files can quite clearly carry malicious content as far as excel is concerned. b) (while I again want to point out RSA should be syncing this content via live (not 3m later in an RPM) to customers not us chasing you) a. we'd love to add a yara rules on malware for it but https://community.rsa.com/docs/DOC-78558 i. (After a month the pictures still haven't been fixed) and ii. it seems like malware treats the file as none of these 1. fileType Specifies the files type. Possible values are: WINDOWS_PE, MS_OFFICE, and PDF. If not specified, the default value is WINDOWS_PE. b. E.g. i. https://github.com/Neo23x0/signature-base/blob/master/yara/gen_dde_in_office_docs.yar https://github.com/InQuest/yara-rules/blob/master/Microsoft_Office_DDE_Command_Execution.rule c) are we adding the yara rule incorrectly? a. or is this a product limitation? b. can it be addressed as a bug. c. These are exploited in the wild for about a month now. (Along with this https://community.rsa.com/message/900278?commentID=900278#comment-900278 )
