The latest versions of the Ursnif banking trojan have added new tricks letting the malware to detect when a virtual machine or a sandbox environment has been analyzing it.
The latest Ursnif samples have been detected this month, distributed via macro-laced Office files attached to spam emails. These macro scripts would perform a series of checks to determine if the PC they landed on is a real computer, a virtual machine or sandbox environment before downloading and installing the malware itself.
According to the Proofpoint experts, four checks were registered in total, two of which they have never seen before.
The first new check was a lookup for unique characters in the names of local files. The macro script was specifically looking to see if local files contained only hexadecimal characters in their names.
Usually, the files submitted to analysis in sandbox environments and VMs are renamed based on their SHA256 or MD5 hash, so that researchers can keep a track of the exact payload. SHA256 and MD5 hashes are only made up of the hexadecimal character set: 0123456789ABCDEFabcdef.
In case the macro script found files with other types of characters, such as “w,” “=,” or “#,” then it knew this was a regular PC and not a researcher’s box, and go on with its installation procedure.
The second check is even more clever. The macro script is using the Application.Tasks.Count function to query the local OS for the presence of running processes with a graphical interface. In case the script found less than 50, the macro script would stop, thinking that this was a test box for detecting malware.
“A quick check of a real system shows that it is common to have more than 50 tasks, while sandbox systems are optimized to have as few as possible,” the Proofpoint team said.
Apart from the two new checks, the macro script also employed two checks which are relatively new but have been seen before. The macro script would first check for the presence of process names that included blacklisted terms like the names of VM vendors or reverse engineering software.
After that, the macro script would use the Maxmind API to detect the user’s IP address, and compare the IP to a list of known IP ranges assigned to security firms and data centers, where VMs and malware analysis toolkits are often hosted.
This last trick was noticed in June, by both Proofpoint and Zscaler. Along with the Maxmind-powered query, the two researchers teams detected macro scripts querying the local computer for the list of recently opened files.
If the number was less than three, the macro script would know this was a freshly installed VM, just for the purpose of analyzing malware and stop the installation process.
Also in June, the Proofpoint experts detected the Dridex banking trojan employing the same tricks, while Zscaler detected these two with the Matsnu backdoor trojan, the Nitol backdoor trojan, and the Nymaim ransomware.
