New Malicious Macro Evasion Tactics Exposed in URSNIF Spam Mail
by John Anthony Bañes
Malicious macros are commonly used to deliver malware payloads to victims, usually by coercing victims into enabling the macro sent via spam email. The macro then executes a PowerShell script to download ransomware or some other malware.
Just this September EMOTET, an older banking malware, leveraged this method in a campaign that saw it spreading to new industries and regions.
Figure 1. Infection diagram for EMOTET malware showing Macro-PowerShell use
Because of the effectiveness of this method, attackers continue to use it and improve it. Threats leveraging malicious macros are constantly changing to evade security measures that detect and block them. Recently, in spam email distributing URSNIF, a malware famous for adopting new tools, we saw simple checks that the malware uses to evade sandbox detections.
Macros that use AutoClose can run malicious PowerShell script after closing the document, evading sandbox detections that analyze the macro itself. This method is becoming a common feature in many malicious macros because it is easy to implement.
Figure 2. Sample of AutoClose code for the macros
After coercing the victim to enable macros, the macro waits for the would-be victim to close the document and only then will PowerShell execute. Sandbox detections might miss the malicious behavior since the malicious routines will only run after the document is closed.
Microsoft Office provides users a handful of enumeration variables for its macros containing predefined values. However, some enumerations are only present in later versions of Microsoft Office. By comparing an enumeration variable to a certain value, this can be used to indirectly check the office version.
For example, the enumeration xlAutomaticAllocation does not exist in Office 2007; this was added later in Office 2010 and has a value of “2”. Knowing this, the attacker can check for this value. In the code below, if the value is greater than zero, it will proceed to deobfuscate and run code containing the PowerShell script. Otherwise, the macro will simply exit.
Figure 3. Code checking enumeration value to evade sandbox detection
How is this used to avoid sandbox detection? Some sandboxes only use Microsoft Office 2007 for automated analysis, so if the attacker detects Office 2007, the macro won’t deploy. Malicious behavior can be passed over if the macro contains a check like this.
When automating the analysis of a file in a sandbox, the file is sometimes renamed to its MD5, SHA-1 or SHA-256 equivalent. Attackers take advantage of this feature by including filename length checking in the VBScript before triggering the malicious action. If the document filename is too long, possibly indicating a sandbox, the macro will not execute the malicious routines to evade detection.
The following code snippet is found in the sample detected as W2KM_POWLOAD.DTP .
Figure 4. Code checking filename
Based on the code, the malware checks the document filename length. An MD5 hash string is 32 bytes long, SHA-1 is 40 bytes long, and SHA-256 is 64 bytes long. If the length is less than 30, it will proceed with its malicious routine. Otherwise, if the length is greater than 30, it will only display a message box.
Most of the samples analyzed have one thing in common—they run PowerShell script that downloads and executes another malware. For the samples we analyzed, the malware downloaded is a variant of the URSNIF malware (detected by Trend Micro as TSPY_URSNIF). However, these are not unique to one malware; it is possible that others may be downloaded. As malware and their delivery methods continue to evolve, security must be updated as well. Users need to be protected with the latest solutions that can combat new and evolving threats.
Trend Micro Solutions
Trend Micro endpoint solutions such as Trend Micro™ Smart Protection Suites and Worry-Free™ Business Security can protect users and businesses from these threats by detecting malicious files, and spammed messages as well as blocking all related malicious URLs. Trend Micro Deep Discovery™ has an email inspection layer that can protect enterprises by detecting malicious attachment and URLs.
Trend Micro™ Hosted Email Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they reach the network. It protects Microsoft Exchange, Microsoft Office 365, Google Apps, and other hosted and on-premises email solutions.
Trend Micro™ OfficeScan™ with XGen™ endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive protection against advanced malware.