Malevolent Macros within Office Files Devise Fresh Tactics for Bypassing Detection

One fresh surge of malevolent files consisting of extremely disguised macros is utilizing anti-Sandbox and anti-Virtual Machine technologies for bypassing automated analysis software that would otherwise have detected and downloaded them.

Security researchers examining the latest malicious programs, which their security products detected, unearthed malevolent documents of Microsoft Office which utilized macros alongside novel socially-engineered tactics, however even fresh mechanisms of anti-analysis detection.

Towards the latter part of May, the researchers from Zscaler Security Company identified the malevolent files, which aided with Office RecentFiles feature, could spot virtual environments, as well as determine the presence of outside IP ownership with which sandbox solutions could be prevented, thus stated Deepen Desai Security Research Director at Zscaler within one blog post dated June 7.

Further Desai posted, the macros program examines whether the total RecentFiles compilation counts below certain predefined threshold, while finding the same, it terminates. Scmagazine.com posted this, June 8, 2016.

The above technique resulted in certain desirable impacts; however, the team at Zscaler persisted so it was able to glance at the latest tricks malware coders employed for spotting malware analysis software and virtual machines.

While over years now, malicious software has been searching virtual machine environments, with the process of doing so undergoing continuous evolution, similar as the current macros code.

Notably, suppose there aren't at least 3 files on the infected host, the malware would consider the host a test system while halt its execution. This appears sensible as any malware scanning and test environment utilizes new OS installation that hasn't had any user activity within operating system else software's logs.

Zscaler's researchers further note that the current API directs to provide user credentials, however, they didn't notice any such hard-coded details that the malevolent Office files sent. The researchers are continuing to verify whether this' an intentional scheme alternatively whether it's a security detection bypass of the API which's getting exploited.

Zscaler states incase the checks flop then the macros halt their running on the host, but suppose they make it, then criminals will pull down Trojan Matsnu a backdoor followed with Trojan Nitol another backdoor, as well as Nymaim a ransomware.

» SPAMfighter News - 6/15/2016