Security News Malicious Macros in Office Documents Find New Tricks to Evade Detection

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Malware coders are some of the most creative and talented programmers you'll find, and the speed at which malware keeps evolving stands as proof.

One of the cases where this has been proven true once again is detailed by Zscaler, a San Jose-based security firm.

While analyzing the most recent malware samples detected by their security software, the company's experts came across malicious Microsoft Office documents that employed macros with new social engineering tricks, but also new anti-analysis detection mechanisms.

Malware coders are obfuscating their macro scripts
The cyber-criminals used highly obfuscated code for their malware, hoping to thwart the efforts put in by security experts who were taking a look at the macro's tangled source.

This tactic had some of the desired effects, but Zscaler's team prevailed, and their efforts were rewarded. The security researchers managed to get a glimpse of the most recent tactics employed by malware coders to detect virtual machines and malware analysis products.

While malware has been checking for VM environments for years, the way it does this has continually evolved, just like the malware's code.

The malicious macros Zscaler stumbled upon used three older techniques to scan for VM and sandbox environments. The malware was checking for standard virtual environment strings, was employing the Windows Management Instrumentation (WMI) interface to identify virtual environment & automated analysis systems, and was using a static list of software pieces known to be used by security researchers.

Macro scripts check for recently opened Office documents
Besides these three, all known to most security researchers, Zscaler also discovered two new tricks. For the first one, the malware was looking at Office's list of Recently Opened Files.

If the infected target had less than three files, the malware deemed it a test environment and stopped its execution. The thinking behind this check makes sense, since all test and malware scanning environments use fresh OS installations, with no user activity in the OS or the software's logs.

Macro scripts abuse Maxmind's GeoIP API
The second new check found in malicious macro scripts used Maxmind's GeoIP service. The malware was checking the user's IP address and was comparing the result to an internal list of known IPs belonging to security firms, data centers, or other malware analysis services.

"This API asks for user credentials but we did not see any hardcoded credential information being sent by the malicious document," Zscaler's team notes. "We are still verifying if this is by design or if this is an authentication bypass issue for the API that is being exploited."

If any of these checks fails, the macro script stops execution immediately, but if it succeeds, Zscaler says that crooks will download the Matsnu backdoor trojan on infected hosts, and sometimes later, the Nitol backdoor trojan, and the Nymaim ransomware.
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
I know right exterminator,
I have said it before, MS makes more headaches for itself, it does not need
people making up crap, just give them time they will drop the ball on
something.
PeAcE
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top