Within days of Microsoft announcing that they are introducing custom JavaScript functions in Excel, a security researcher has developed a way to use this method to load the CoinHive in-browser JavaScript miner within Excel.

When we had reported about the new custom JS functions, it was quickly seen that no matter how useful this new feature may be, people felt it would also be utilized for more nefarious purposes. 

Within hours, security researcher Chase Dardaman figured out a way to use Microsoft's new feature to load the CoinHive in-browser miner through a custom JavaScript Excel function.

Loading CoinHive in Excel

Before we go further, it is important to note that this is just a proof of concept and to even use custom functions in Excel, you first need to be using the Office Insider version of Excel and to install it as an add-in. So in its current form, it is not a viable attack option at this time. With that said, attackers are crafty and when there is a will there is a way, so it would not be surprising to hear of an automated way to utilize this feature in the future.

Custom JavaScript functions work by creating three files and storing them on an accessible web server. These files are a JS file containing the custom equation, a html file that loads your JavaScript files, and a JSON file that acts as a configuration file.  You also need to create a XML file, which acts as a manifest and is used locally by Excel to load your custom function as an add-in.

When the custom JS equation is used, Excel will will create a hidden browser that loads the various files and then executes the custom JavaScript functions. After quickly researching how to do this, Dardaman was easily able make his own add-in that loaded CoinHive into this hidden browser.

Dardaman told BleepingComputer that creating the add-in took him very little time and that it was "extremely easy to do. I have never added anything or written an excel macro before and it took me about an hour to get it working once I got the preview downloaded".

Even worse, Daradaman told us that it "persists as well, so if i add the function in and then save the excel sheet when i reopen it will automatically run the function again".

When testing the miner in Excel, Dardaman set it to use a threshold of 50, which essentially tells CoinHive to utilize 50% of the computer's CPU power. This is shown in the image below where we see Microsoft Excel Web Content, which is the hidden browser with CoinHive loaded, utilizing 206% of the computer's 4 cores.

CPU Utilization

As creating a custom JavaScript function was quick and easy to do , it will only be a matter of time before new attacks are developed. Dardaman agrees and could see researchers quickly finding new ways to exploit this feature.

"Exactly, this was super simple and as myself and others dig more into this I'm sure we are going to find tons of new ways to attack users" - Chase Dardaman

For those who wish to learn more about Dardaman's CoinHive in Excel PoC, he has created a blog post outlining what he did and how you can reproduce it.

Related Articles:

Compromised JavaScript Package Caught Stealing npm Credentials

Rakhni Ransomware Adds Coinminer Component

Fake Adult Sites Pushing Unwanted Extensions, Miners, and Adware

First-Ever Person Sentenced for Malicious Use of Coinhive Library

All-Radio 4.27 Portable Can't Be Removed? Then Your PC is Severely Infected