New macros attacks use Anti-VM and Anti-Sandbox techniques

[Batu69]

A new wave of malicious documents containing highly obfuscated macros is using Anti-VM (virtual machine) and Anti-Sandbox techniques to avoid being downloaded and detected by the automated analysis systems.

 

In late May, Zscaler researchers spotted the malicious documents leveraging the ability to detect virtual environments via Office RecentFiles property and the ability to check for external IP ownership to prevent sandbox solutions, Zscaler Director of Security Research Deepen Desai said in a June 7 blog post.

 

The macros code checks if the number of RecentFiles collection is less than a predefined threshold and terminates if it is, the post said.

The use of Microsoft Office RecentFiles property to detect a virtual environment is a new technique that may seem trivial, but has been effective against many automated analysis systems, Desai told SCMagazine.com via emailed comments.

 

“The malware author makes an assumption here that most clean virtual environment snapshots will be taken after a fresh Microsoft Office install with probably one or two document files opened for testing the installation,” Desai said. “Alternately, a standard user system with Office applications should have at least 3 or more recently accessed document files.”

 

The cyber crooks behind the malicious campaign aren't exploiting vulnerabilities to infect users, but instead are using social engineering tactics to lure the user into enabling the macros. 

 

To prevent these types of attacks, Desai said end users need to be more vigilant and should never trust documents that prompt them to enable macros for viewing content.

He said Microsoft has acknowledged the rise in macro malware based attacks and has incorporated additional counter measures that will allow enterprise administrators to enforce a strict policy against untrusted documents containing macros.

 

Article source

[vibranium]

Stealth methods. Doesn't make them more dangerous.

[straycat19]

3 hours ago, Batu69 said:

A new wave of malicious documents containing highly obfuscated macros is using Anti-VM (virtual machine) and Anti-Sandbox techniques to avoid being downloaded and detected by the automated analysis systems.

 

Nothing new here since Anti-VM and Anti-Sandbox has been a part of the majority of malware for at least 5 years.  And for at least that long we have been finding ways to obfuscate or straight out defeat whatever checks are built into the malware.  The things that are being claimed in this article were defeated 2 1/2 to 3  years ago and malware cannot spot our VMs any longer.  As far as that goes we use VMs to catch various tech support scammers and they can't even recognize a VM when they have full access to the systems and right there on the screen it shows the vmware services running.  Crooks are stupid, regardless of the media they are using in an attempt to gain financial rewards.  Again, I say, anything created by man can be hacked, broken, obfuscated, or ignored.