Macro Malware Employs Advanced Obfuscation to Avoid Detection

Attacks by macro malware carrying ransomware are growing, as we have recently reported on Blog Central here and here. Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as virtual machine awareness, sandbox awareness, and more.

Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. These algorithms do not change frequently; we noticed updates only over a period of one month. This slow evolution suggests that the actors are able to sustain their binaries with few changes. So far we have seen three obfuscating algorithms deployed in such malware. The version we noticed in mid-April was quite interesting; here is our analysis.

This new variant of macro malware not only has high-level obfuscation techniques but also several layers of evasion. In addition to obfuscation, the functions are scattered across the macros. I have converted the obfuscation algorithm to an equivalent Python and the scripts used for evasion techniques into VBA scripts for easy understanding.

The following are obfuscated strings passed to the function:

Obfuscated_String

This equivalent Python script deobfuscates the string:

Python

The malware posts a fake Microsoft Office 2016 screen upon execution to lure victims into enabling the macro content:

microsoft

Our analysis revealed the possibility of an known actor group having created this malware, which is similar to the earlier version “Donoff.” That version posed a similar message to the one we see below. This similarity suggests that the new variant could also be from the same group.

warning

The following flow chart shows the sequence of evasion checks performed in the code:20160420 Visio Drawing 2

Layer 1: Evading honeypots

We found the following code in the macro that checks the username and the hostname. If the username is “USER” and the hostname is “HOST,” the code will not execute. It is well known that most honeypots are named User and Host to attract zero-day malware. The actors have taken this step to escape common zero-day traps.

user

Layer 2: Virtualization awareness and anti-emulation 

To avoid analysis by security researchers, the actors next try to avoid executing their code in a virtual environment. The following code snippet shows this check in the malware.

vmware

Layer 3: Evading perimeter devices and dynamic tools

Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have taken the effort to infiltrate perimeter devices such as email scanners and gateway products such as intrusion detection and prevention. The following piece of code in the macro checks for the presence of frameworks and devices like Snort, Suricata, Wireshark, and others.

fiddler

Compromised website serves payload

These actors have compromised a legitimate website to deploy their payload. This (masked) legitimate website hosts the payload:

http://soc[xxxxx]it.com/system/logs/office.exe

During our analysis, this hardcoded link served the following file, which indicated that the attackers were still preparing the environment and had not yet uploaded a malicious payload. (McAfee has contacted the site owner.)

malware

We found one eccentricity in this malware: The actors had put in a condition to execute the malware from specific folder path even if any of the preceding evasion checks returned a true value. If the malware executes from the “<random_number>_<country name>” folder, it will continue even in the presence of a virtual machine with dynamic tools. The code shown in the image below checks for “<random_number>_australia” in the execution path of the malware. So far we have seen Australia and the United States in the exclusion list.

4

Our analysis in this case indicates that actors with varying proficiency continue to make security efforts difficult for antimalware products. McAfee DATs already cover this and similar malware.

Sample MD5s:

  • d80c15fd4ee1b10512d81bde32daaf30
  • c1787d80ad7beb46646d5c20cdd7eff2

 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from McAfee Labs

Back to top