Explore Joe Security Cloud Basic Accounts Contact Us
top title background image

Joe Security's Blog

Will it blend? This is the Question, new Macro based Evasions spotted

Published on: 07.09.2016

Do you remember the "Will it blend?" YouTube series, where a guy tries to blend anything possible with his magic blender?  If not here is a nice example:

Today I often feel like being asked "Will it execute" or "Why doesn't it execute" or "This should execute". As many other vendors of malware analysis systems we see an increase of sophisticated evasions to prevent dynamic analysis.

This is especially true for Macro malware. Malware embedded in Office documents today is not only used to infect home users but also corporate machines. VBA obfuscation techniques  used in both scenarios are usually very similar: string encryption, variable/function names randomization and code redundancy. Since VBA is a full-fledged programming language, it is possible to do practically anything from inside Word, Excel or any other VBA-enabled MS Office application (like recent Locky variants distributed through MS Publisher files). Today I would like to briefly present two interesting samples that recently came through our lab.

Powershell, InkPicture_Painted & Zone.Identifier

The first sample is a DOCX and basically just a simple trojan downloader with a very small footprint. After deobfuscation there are only few lines left but some of them are quite interesting. The first evasion abuses the :Zone.Identifier alternate data stream (ADS) to verify if the file was indeed downloaded from the internet (or received by e-mail):

The :Zone.Identifier check is used to bypass sandboxes that do not propagate the ADS to the submitted files. ADS is a feature of the Windows NTFS file system and most sandboxes are based on Linux with an EXT file system. EXT does not support ADS and therefore any alternate data stream is simply omitted if samples are copied.

The second evasion is probably used to bypass some tools that rely on the fact that the payload is usually executed from the AutoOpen() or Document_Open() function. In contrast, this sample starts its execution inside the InkPicture.Painted event:

It is interesting that InkPicutre.Painted also works on Powerpoint where no AutoOpen() or Document_Open() function exists. Likely we are going to see more Powerpoint based macro malware in the near future.

Apart from that, the sample also checks for the number of recently opened files (Application.RecentFiles.Count < 3), an evasion technique which was already seen a few times in the last months. The main payload is downloaded by a PowerShell snippet executed through the WScript.Shell.Run command:

The full Joe Sandbox 16 report from the above sample is available below (click the graph to open):


PartOfDomain, No-Admin and Steganography

Another sample we received (thank you for sharing to John Lambert) is a bit more complicated and targets corporate users. There are at least 2 indicators to back-up this statement. Both are visible in the snippet below:

The result returned from mekzvij() function is used to determine if the VBA macro should further proceed with the infection process (if greater than 2, stop execution). It is clearly visible that the PartOfDomain field from Win32_ComputerSystem WMI class has a really big weight (100). Not being part of a domain effectively prevents this sample from running. The second indicator is more trivial, the UserName field shall not contain the "admin" substring, this is not necessarily a "corporate environment" indicator but may be just a detection of some specific sandboxes (another lookup for "malfind" suggests the latter). mekzvij() function contains some more WMI-based evasions that are often used by many different malware families:

If all checks are passed, the script drops a DLL into "%APPDATA%\Adobe\AIR\azgyrfhy.dat" and runs it during DocumentBeforeClose event:

The DLL is just a second stage downloader and has a hardcoded URL pointing to a PNG image:

After successful download (it's never stored to the disk), the DLL de-crypts a second DLL that is hidden inside the PNG chunks (which is the most simple variant of PNG steganography) by using a modified TEA cipher. It's decrypted and manually mapped into the process address space, later it communicates with another host which seems to be dead by now as we received only "504 Gateway Time-out". More details about this particular threat can be found in the Joe Sandbox 16 Report (click the graph to open):



Final words

While the :Zone.Identifier evasion is easy to bypass for sandbox vendors, the PartOfDomain evasion is not. Especially in the last weeks we have seen the use of more complex evasions. Of course the more targeted a piece of malware is, the more likely a complex evasion is being used.

What really helps the most to fight evasions are two things: first, Deep Malware Analysis which enables you to spot the evasion and second, an open platform to quickly act to prevent the evasions. For many years we at Joe Security strive to improve these two main features of dynamic malware analysis systems.

Will it blend? This is the question. As for Joe Sandbox we can say yes, the malware executes and shows its real behavior!

Update 1:

The second mentioned sample is actually part of the Dukes/APT29 targeted attacks.