Malware developers have been trying to evade detection using various techniques.
Trojans, for example, have been lying dormant until a trigger enables it.
Malware researchers try out the malware they are dissecting in safe environments to avoid spreading and to see the results more clearly for them to replicate the procedure to fix it. One of these techniques is to use a virtual machine or by sandboxing.
Nowadays, malware developers try their best to avoid these test environments and they are craftier than ever.
Malware researcher Caleb Fenton with security firm SentinelOne discovered a technique with the malware he was decoding that it evades detection by simply counting the number of documents in the machine being used.
Simple and smart. That way, virtual machines and sandboxes would definitely lack documents and easier for the malware to avoid triggering. They will be able to figure out if they are in a test environment.
If the malware is smart enough to know when it is being tested, it can avoid triggering. Therefore, it takes time for malware hunters to detect and create fixes for them.
The malware sample that Fenton found inside (“Intelligent Software Solutions Inc[.]doc”) looks for existing documents on targeted PCs.
During Fenton’s research, he found out that his virtual machine lacked documents that would normally be found in the real world. If no Microsoft word documents are found on the machine, the VBA macro code will terminate and shield it from being analyzed. If there are more than 2 documents, the macro will download and install the full malware payload.
This malware-laced document is being distributed via spam or phishing. Computers have a RecentFiles feature which gives a glimpse and easier access to recently viewed or created documents.
The malware checks if the RecentFiles is within its criteria which therefore validates before triggering the PowerShell script that links it to the command-and-control server to download and install a low-level system keylogger.
In another obfuscation technique, the malware uses an IP detection web service (Maxmind) to determine the network used by the targeted system. The IP address is cross referenced with a list of blacklisted IP addresses tied to security firms such as BlueCoat, Palo Alto and others. Those IPs are red flagged and stop the malware from executing, according to Fenton.
The new trend is that malware performs anti-VM or Sandboxing or cloud services checks before running. Although it is not new, macros and IP checking are also performed.
In June, Zscaler researchers found document-based macro attack code using multiple techniques to detect and evade virtual environments and automated analysis systems. One macro scanned for standard virtual environment strings and another looked for the presence of known analysis tools on the system.
It just keeps on getting more and more sophisticated with regards to malware being able to detect test environments. Malware authors have realized that by adding obfuscation code to their malware, it can extend their malware from detection and be more profitable. The longer is is not detected and no fix is released, the more damage it can do in the wild and more profit for them.
It is a never-ending cat and mouse chase and the possibilities are endless.
