Macro Malware Employs Advanced Sandbox-Evasion Techniques

During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the message “This document is protected against unauthorized use. Enable Editing and Enable Content to read content” along with a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default, Microsoft Windows enables protected view, preventing malicious macros from running unless users enable them.)

Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection.

1

At first glance, it is difficult to guess the intentions of this macro malware. We further deobfuscated the code and found more readable strings. The obfuscated macro looks like this:

2

In a previous blog, we described how the macro in the document file used the MaxMind service to gather IP-based location data. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. We observed several new checks last week.

Use of painted event

The first major change is that the new variant no longer uses the AutoOpen() or DocumentOpen() function to automatically execute the macro. Instead this variant uses a painted event. This fudging technique bypasses some scanners that expect a payload to be executed with AutoOpen().

3

Checking the filename

Another change is checking the filename. This move is both simple and smart. In most of cases, files submitted to sandboxes contain only hexadecimal characters using SHA256 or MD5 hashes as the filename. If a filename contains only hexadecimal characters, it will not infect the victim’s machine further. In the following code snippet, the malware verifies the filename “TestMacro” for hexadecimal characters.

4

5

 

Number of running processes

The malware also checks for the number of running processes. If count is smaller than 50, then the malware terminates. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment with fewer than 50 running processes. The code snippet:

6

 

Blacklist of processes

Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have made the effort to infiltrate perimeter devices such as email scanners and gateway products. The malware checks for the presence of processes that may be found running in a sandboxed environment. The checklist is expanded in new variant:

7

Blacklist of networks

We also blogged about how threat actors use the MaxMind service to gather IP-based location data. This variant checks the region Oceania. It has also expanded the list of strings it checks using MaxMind. The list of strings are highly obfuscated and tough to understand. The obfuscated strings looks like the following snippet:

8

The obfuscation algorithm changes frequently. For this variant we deobfuscated the content using a small Python script.

9

The malware checks for the network provider’s name on the victim’s machine. The machine will not be affected by this malware if it verifies that the document file is opened on any of these listed vendors’ networks:

10

Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products.

McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Sample MD5s

  • 05ef99749dec84ffd670ffcfba457c68
  • 2a03a7172b3fe4a8e50eb337643f8a55
  • 317b3f381b8feeb84b7318b1c1bf0970
  • 531364f5afadcadd83aef3158c100c98
  • 535aba8b1a5f0585d2878fd39c8b05d2
  • 73267a21adcf9b587cb44bf54d496b6c

References

https://www.proofpoint.com/us/threat-insight/post/ursnif-banking-trojan-campaign-sandbox-evasion-techniques