New macros attacks use Anti-VM and Anti-Sandbox techniques

Threat actors are leveraging new techniques to avoid detection of macros documents.
Threat actors are leveraging new techniques to avoid detection of macros documents.

A new wave of malicious documents containing highly obfuscated macros is using Anti-VM (virtual machine) and Anti-Sandbox techniques to avoid being downloaded and detected by the automated analysis systems.

In late May, Zscaler researchers spotted the malicious documents leveraging the ability to detect virtual environments via Office RecentFiles property and the ability to check for external IP ownership to prevent sandbox solutions, Zscaler Director of Security Research Deepen Desai said in a June 7 blog post.

The macros code checks if the number of RecentFiles collection is less than a predefined threshold and terminates if it is, the post said.

The use of Microsoft Office RecentFiles property to detect a virtual environment is a new technique that may seem trivial, but has been effective against many automated analysis systems, Desai told SCMagazine.com via emailed comments.

“The malware author makes an assumption here that most clean virtual environment snapshots will be taken after a fresh Microsoft Office install with probably one or two document files opened for testing the installation,” Desai said. “Alternately, a standard user system with Office applications should have at least 3 or more recently accessed document files.”

The cyber crooks behind the malicious campaign aren't exploiting vulnerabilities to infect users, but instead are using social engineering tactics to lure the user into enabling the macros. 

To prevent these types of attacks, Desai said end users need to be more vigilant and should never trust documents that prompt them to enable macros for viewing content.

He said Microsoft has acknowledged the rise in macro malware based attacks and has incorporated additional counter measures that will allow enterprise administrators to enforce a strict policy against untrusted documents containing macros.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS