When we had reported about the new custom JS functions, it was quickly seen that no matter how useful this new feature may be, people felt it would also be utilized for more nefarious purposes.
What could POSSIBLY go wrong?— Vicious Delicious (@MaliciousDelish) May 8, 2018
Coinhive.xlsx has a nice ring to it.— Bad Packets Report (@bad_packets) May 8, 2018
I see the malware coming— Damian (@Damian1338) May 8, 2018
Before we go further, it is important to note that this is just a proof of concept and to even use custom functions in Excel, you first need to be using the Office Insider version of Excel and to install it as an add-in. So in its current form, it is not a viable attack option at this time. With that said, attackers are crafty and when there is a will there is a way, so it would not be surprising to hear of an automated way to utilize this feature in the future.
Dardaman told BleepingComputer that creating the add-in took him very little time and that it was "extremely easy to do. I have never added anything or written an excel macro before and it took me about an hour to get it working once I got the preview downloaded".
Even worse, Daradaman told us that it "persists as well, so if i add the function in and then save the excel sheet when i reopen it will automatically run the function again".
When testing the miner in Excel, Dardaman set it to use a threshold of 50, which essentially tells CoinHive to utilize 50% of the computer's CPU power. This is shown in the image below where we see Microsoft Excel Web Content, which is the hidden browser with CoinHive loaded, utilizing 206% of the computer's 4 cores.
"Exactly, this was super simple and as myself and others dig more into this I'm sure we are going to find tons of new ways to attack users" - Chase Dardaman
For those who wish to learn more about Dardaman's CoinHive in Excel PoC, he has created a blog post outlining what he did and how you can reproduce it.