Attacks by macro malware carrying ransomware are growing, as we have recently reported on Blog Central here and here. Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as virtual machine awareness, sandbox awareness, and more.
Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. These algorithms do not change frequently; we noticed updates only over a period of one month. This slow evolution suggests that the actors are able to sustain their binaries with few changes. So far we have seen three obfuscating algorithms deployed in such malware. The version we noticed in mid-April was quite interesting; here is our analysis.
This new variant of macro malware not only has high-level obfuscation techniques but also several layers of evasion. In addition to obfuscation, the functions are scattered across the macros. I have converted the obfuscation algorithm to an equivalent Python and the scripts used for evasion techniques into VBA scripts for easy understanding.
The following are obfuscated strings passed to the function:
This equivalent Python script deobfuscates the string:
The malware posts a fake Microsoft Office 2016 screen upon execution to lure victims into enabling the macro content:
Our analysis revealed the possibility of an known actor group having created this malware, which is similar to the earlier version “Donoff.” That version posed a similar message to the one we see below. This similarity suggests that the new variant could also be from the same group.
The following flow chart shows the sequence of evasion checks performed in the code:
Layer 1: Evading honeypots
We found the following code in the macro that checks the username and the hostname. If the username is “USER” and the hostname is “HOST,” the code will not execute. It is well known that most honeypots are named User and Host to attract zero-day malware. The actors have taken this step to escape common zero-day traps.
Layer 2: Virtualization awareness and anti-emulation
To avoid analysis by security researchers, the actors next try to avoid executing their code in a virtual environment. The following code snippet shows this check in the malware.
Layer 3: Evading perimeter devices and dynamic tools
Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have taken the effort to infiltrate perimeter devices such as email scanners and gateway products such as intrusion detection and prevention. The following piece of code in the macro checks for the presence of frameworks and devices like Snort, Suricata, Wireshark, and others.
Compromised website serves payload
These actors have compromised a legitimate website to deploy their payload. This (masked) legitimate website hosts the payload:
http://soc[xxxxx]it.com/system/logs/office.exe
During our analysis, this hardcoded link served the following file, which indicated that the attackers were still preparing the environment and had not yet uploaded a malicious payload. (McAfee has contacted the site owner.)
We found one eccentricity in this malware: The actors had put in a condition to execute the malware from specific folder path even if any of the preceding evasion checks returned a true value. If the malware executes from the “<random_number>_<country name>” folder, it will continue even in the presence of a virtual machine with dynamic tools. The code shown in the image below checks for “<random_number>_australia” in the execution path of the malware. So far we have seen Australia and the United States in the exclusion list.
Our analysis in this case indicates that actors with varying proficiency continue to make security efforts difficult for antimalware products. McAfee DATs already cover this and similar malware.
Sample MD5s:
- d80c15fd4ee1b10512d81bde32daaf30
- c1787d80ad7beb46646d5c20cdd7eff2