Run-on-Close Macros Try to Shut the Door on Sandboxes

March 19, 2015
Proofpoint Staff

In recent posts we have described the continued innovations of Dridex campaigns, including core functionality and evasion techniques such as large volumes of unique file attachments, obfuscated macro code, webinjects and a SOCKS proxy. Recent malicious attachment campaigns even revealed macros with built-in sandbox detection and evasion tactics, and Proofpoint researchers have also found another tool in the macro infection toolkit: leveraging a document close event to execute the malware download.

In this case, the maldoc campaign resembles other attachment delivery campaigns, but the twist is in when the macro shows its true colors. The user is enticed to enable macros and open the attachment, and when they open it, they see a blank page and, under the hood, nothing bad happens. Instead, the malicious action occurs when the document is closed. The macro payload, in this case, listens for a document close event, and when that happens, the macro executes.

The AutoClose method executes another method, “vhjVHsdfdsf” that includes obfuscated code. XOR’ing the obfuscated code with 0xFF yields powershell downloader code which installs Dridex with botnet ID 120.

The expected behavior for most malware is for it to execute at the earliest opportunity available on the target system. Realizing that immediate execution was a red flag to malware sandboxes and antivirus solutions, malware writers adjusted by coding their wares to “wait” for short periods of time before executing, thereby avoiding sandboxes that would only check for malicious activity at initial launch. As sandboxes have adjusted to also “wait”, the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether.  No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.

Allowing macros to run can be risky, and it keeps getting riskier as malware writers continue to innovate and add new tools and techniques to their portfolio.