Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky.
Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we click on a doc file, we see some junk content and a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default protected view is enabled, preventing malicious macros from running unless users enable them.)
McAfee Labs has previously blogged about macro malware using high-obfuscation algorithms and several other layers of evasion to avoid detection. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. At first glance, it is difficult to guess the intentions of this macro malware.
The malware hides all strings that can give a hint of its behavior. To this point, we have seen two types of string obfuscation. In the first type, two parameters are passed to get the following string. The first parameter of the function is an obfuscated string and the second parameter is a junk string that needs to be removed from the first.
The following Python script decrypts the content:
With the second type of string obfuscation, only one string is passed to the function:
The Python script to decrypt the string:
In addition to string obfuscations, the malware checks the number of recently opened or accessed files. The execution exits if the number is less than three. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment that has no recently used files. The VBA code:
The macros employ a legitimate site for their malicious purposes. The threat actors use the MaxMind service to gather IP-based location data. (MaxMind provides location data for IP addresses.) The VBA code:
ResponseText1 contains the location, IP address, organization name, and other information. The malware checks whether the following names are contained in ResponseText1.
If any of these names are present, the malware stops. It avoids executing in several antimalware and web hosting organizations, as well as in some cases in Russia and North America. After execution the malware downloads malware families such as Ursnif, which steals banking information.
McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.
Analyzed MD5 hashes:
- fac4245a1a3f9e4f5f4c9b727133837b
- e3f93401a1494112d242c80333703b0f