What Is It?
Evil Clippy is available for Windows, macOS and Linux operating systems and uses techniques to modify office documents directly, at the file level, in order to make it much more difficult for security products to detect the malicious macro. A recent article on BleepingComputer.com describes a tool created by security researchers from Outflank, a security testing company located in the Netherlands. First presented as part of presentation at Black Hat Asia in March 2019, they have named the tool Evil Clippy as a homage to the much derided Microsoft Office assistant found in versions of Microsoft Office from the late 1990s to the early 2000s.
Outflank created Evil Clippy to assist security testers in creating malicious Microsoft Office documents to use in their engagements. Outflank stated that at the time of publishing the details of Evil Clippy, “this tool is capable of getting malicious macros to bypass all major antivirus products and most maldoc analysis tools.”
To demonstrate its effectiveness, Outflank submitted a malicious Word document file generated using the Cobalt Strike security testing tool to VirusTotal, resulting in 34/59 detections. They then applied Evil Clippy to this sample and resubmitted it to VirusTotal, this time resulting in 1/59 detections. However, the Evil Clippy modified sample was not able to evade BluVector’s patented Machine Learning Engine (MLE). It was detected as malicious and would have been for over 5 years prior to the sample being created.
Though created with the intention for use by security testers, now that the details of the Evil Clippy tool are public, it is only a matter of time before attackers make use of it. Not that bad actors require further incentive to utilize malicious Office documents in their attacks. Malicious documents are currently the most common infection vector for malware attacks, despite the fact that usually potential victims must be socially engineered in order to enable macros or bypass other security warnings.
How Does It Propagate?
Evil Clippy malicious documents are designed for security testing purposes, but the techniques are likely to be utilized by bad actors. The malicious Evil Clippy documents will be attached to, or linked from, targeted spam emails.
When/How Did BluVector Detect It?
One sample is listed in the article and BluVector’s patented Machine Learning Engine (MLE) detected it. Regression testing has shown the sample would have been detected for 63 months prior to its creation.