Researchers have found a new strain of document-based macro malware that evades discovery by lying dormant when it detects a security researcher’s test environment.
The malware, according to researcher Caleb Fenton with security firm SentinelOne, evades detection simply by counting the number of documents – or the lack thereof – that reside on a PC and not executing if a certain number are not present.
Fenton, who discovered the malware after several failed attempts to trigger the sample into acting maliciously, said the typical lack of documents in a virtual machine and sandboxed test environment make it easy, in this case, for malware authors to fly under the radar.
“If malware can be smart enough to know when it’s being tested in a VM, it can avoid doing anything suspicious or malicious and thereby increase the time it takes to be detected by such tools,” Fenton said in a blog post outlining his research.
A typical test environment consists of a fresh Windows computer image loaded into a VM environment. The OS image usually lacks documents and other telltale signs of real world use, Fenton said. The malware sample that Fenton found inside of a Word document looks for existing documents on targeted PCs.
If no Microsoft Word documents are found, the VBA macro code execution terminates, shielding the malware from automated analysis and detection. Alternately, if more than two Word documents are found on the targeted system, the macro will download and install the malware payload.
The malware-laced document is distributed via spam or phishing campaigns, according to SentinelOne. The malicious Word document looks for and takes advantage of a Windows feature called RecentFiles. The feature, as the name suggests, lists and gives easy access to recently viewed or created documents.
When documents are detected via RecentFiles, the malware assumes the system is a valid target and goes into action triggering a PowerShell script that links the victim’s PC to a command-and-control server to download a low-level system keylogger.
In another obfuscation technique, the malware uses an IP detection web service (Maxmind) to determine the network used by the targeted system. The IP address is cross referenced with a list of blacklisted IP addresses tied to security firms such as BlueCoat, Palo Alto and others. Those IPs are red flagged and stop the malware from executing, according to Fenton.
Anti-VM or anti-sandbox checks by malware are hardly new. Fenton notes earlier this year researchers at Proofpoint observed a macro that look up the public IP address of the targeted PC and would not download the payload if it finds that the IP address is associated with a security vendor, certain cloud services or a sandbox environment.
In June, Zscaler researchers found document-based macro attack code using multiple techniques to detect and evade virtual environments and automated analysis systems. One macro scanned for standard virtual environment strings and another looked for the presence of known analysis tools on the system.
Fenton says these examples of macro code capable of detecting test environments mimic what researchers have been seeing with more sophisticated malware for years.
“These document-detecting samples represent a new trend for VBA-based malware. We expect this type of evasion techniques in more sophisticated malware – not with less formidable macro malware,” Fenton told Threatpost.
Malware authors, Fenton said, are realizing adding obfuscation code to malware can extend the life of their malware and increase profits. “It comes down to simple economics. The longer malware can go undetected, the more damage it can do in the wild.”
Fenton suspects that researchers will see more anti-detection features from a wider range of malware authors in the months ahead.
This story has been updated to reflect the correction of an attribution error by SentinelOne related to the name of a malicious Word document.