A newer anti-sanbox method by malware

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Just something interesting that I heard about a malicious Office macro going around:

There are just loads of ways that malware try to detect the presence of either a VM and/or Sandbox. Typically this is by dll checking, OS product key checks, direct querying of the environment by stuff like the utilization of the GetTickCount API., etc.

But a former colleague just made me aware of a newer method for malware directed to Businesses, and this is by the Office RecentFiles property. The malware will use this to check on how many Office Docs have been recently opened, and if the number is small (like in a testing environment) it will shut down. Seems the malware will only execute if the number of recent files opened is above 10 (at least in the sample that he found, which he refuses to share unless I date him).
 

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Well sometimes a logical thinking is so powerful where you can definitely trick anything even though the presumption for majority is way too far.

Hence more will be target for Anti-Sandbox; at the moment AV's shines because it is common due to obsolete techniques.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top