New campaign of improved macros started at the end of May

Jun 9, 2016 00:40 GMT  ·  By

Malware coders are some of the most creative and talented programmers you'll find, and the speed at which malware keeps evolving stands as proof.

One of the cases where this has been proven true once again is detailed by Zscaler, a San Jose-based security firm.

While analyzing the most recent malware samples detected by their security software, the company's experts came across malicious Microsoft Office documents that employed macros with new social engineering tricks, but also new anti-analysis detection mechanisms.

Malware coders are obfuscating their macro scripts

The cyber-criminals used highly obfuscated code for their malware, hoping to thwart the efforts put in by security experts who were taking a look at the macro's tangled source.

This tactic had some of the desired effects, but Zscaler's team prevailed, and their efforts were rewarded. The security researchers managed to get a glimpse of the most recent tactics employed by malware coders to detect virtual machines and malware analysis products.

While malware has been checking for VM environments for years, the way it does this has continually evolved, just like the malware's code.

The malicious macros Zscaler stumbled upon used three older techniques to scan for VM and sandbox environments. The malware was checking for standard virtual environment strings, was employing the Windows Management Instrumentation (WMI) interface to identify virtual environment & automated analysis systems, and was using a static list of software pieces known to be used by security researchers.

Macro scripts check for recently opened Office documents

Besides these three, all known to most security researchers, Zscaler also discovered two new tricks. For the first one, the malware was looking at Office's list of Recently Opened Files.

If the infected target had less than three files, the malware deemed it a test environment and stopped its execution. The thinking behind this check makes sense, since all test and malware scanning environments use fresh OS installations, with no user activity in the OS or the software's logs.

Macro scripts abuse Maxmind's GeoIP API

The second new check found in malicious macro scripts used Maxmind's GeoIP service. The malware was checking the user's IP address and was comparing the result to an internal list of known IPs belonging to security firms, data centers, or other malware analysis services.

"This API asks for user credentials but we did not see any hardcoded credential information being sent by the malicious document," Zscaler's team notes. "We are still verifying if this is by design or if this is an authentication bypass issue for the API that is being exploited."

If any of these checks fails, the macro script stops execution immediately, but if it succeeds, Zscaler says that crooks will download the Matsnu backdoor trojan on infected hosts, and sometimes later, the Nitol backdoor trojan, and the Nymaim ransomware.

One of the new ways to trick users into activating macros in Office files
One of the new ways to trick users into activating macros in Office files

Photo Gallery (2 Images)

Macro malware gets a few upgrades
One of the new ways to trick users into activating macros in Office files
Open gallery