The developers of malware are placed among the most creative and talented programmers you’ll find. Probably, this is the reason why malware infections are spreading faster and faster all over the world.
The above-mentioned fact has been proven true by a San Jose-based security firm called Zscaler. The researchers from Zscaler have been analyzing the latest malware samples detected by their security software. While making the analysis, the security experts came across malicious Microsoft Office documents which employed macros with new social engineering tricks, but also new anti-analysis detection mechanisms.
Apparently, the hackers used highly obfuscated code for their malware, hoping to thwart the efforts put in by security researchers that were taking a look at the macro’s tangled source. The hackers’ tactic had some of the desired effects, however, the team of Zscaler prevailed, and their efforts were rewarded. The researchers managed to get a glimpse into the latest tactics employed by malware coders to detect virtual machines and malware analysis products.
While malware has been checking for VM environments for years, the way it checks this has continually evolved, just like the malware’s code.
The malicious macros Zscaler stumbled upon, used three older techniques to scan for VM and sandbox environments. The malware was checking for standard virtual environment strings, it was using the Windows Management Instrumentation (WMI) interface to identify virtual environment & automated analysis systems, and was using a static list of software known to be used by security experts.
Apart from the above-mentioned, Zscaler also discovered two new tricks. For the first one, the malware was looking at Office’s list of Recently Opened Files.
In case the infected target had less than three files, the malware deemed it a test environment and stopped its execution. The thinking behind this check makes sense, since all test and malware scanning environments use fresh OS installations, with no user activity in the OS or the software’s logs.
The second new check found in malicious macro scripts used Maxmind’s GeoIP service. The malware was checking the user’s IP address and was comparing the result to an internal list of known IPs belonging to security firms, data centers, or other malware analysis services.
“This API asks for user credentials but we did not see any hardcoded credential information being sent by the malicious document,” Zscaler’s team said. “We are still verifying if this is by design or if this is an authentication bypass issue for the API that is being exploited.”
According to Zscaler, if any of these checks fail, the macro script stops execution immediately. However, in case it succeeds, hackers will download the Matsnu backdoor trojan on infected hosts, as well as the Nitol backdoor trojan and the Nymaim ransomware later on.