The threat was discovered by SentinelOne senior researcher Caleb Fenton. Fenton was tasked with assessing some malware that targets Microsoft Word. Once executed, the script downloads a key-logging program in the background. The key-logger then begins to report home to the attackers, exposing sensitive user data and passwords.
Fenton noticed that the malware sometimes “failed to behave maliciously” when Word was started. Instead of downloading the malicious program, it would lie dormant and refuse to activate. After analysing the source code, it became apparent the malware deliberately stays quiet. It contains two mechanisms designed to prevent security researchers from dissecting its operations.
Once launched, the malware checks how many documents are in Word’s recent files list. If less than three are found, execution is suspended and the malicious program is not downloaded. The malware uses the recent documents list to establish whether it is running on a virtual machine.
Virtual machines are used by security researchers to isolate malware for testing and analysis. A researcher is unlikely to heavily use Word on a virtual machine, whereas a regular PC user would typically have several recently used documents. The malware uses this indicator to evade capture. If it appears as though Word isn’t often used, it shuts itself down to avoid being detected.
The malware also includes another technique to detect if it is being virtualised. It connects to an external server, maxmind.com, to work out its location. The site, a legitimate location service, offers a public API that allows applications to use its data. The information it returns includes the location of the computer’s IP address and the organisation it is registered to.
The malware compares the organisation given in the response with a list of names stored in a text file. The inclusion of several cloud hosting providers and security firms makes the list’s purpose clear. The malware checks to see if it is running on the network of a cybersecurity company and locks itself down if so.
The threat isn’t especially sophisticated but it marks a malware trend that’s set to grow in the near future. Evasive malware already exists but it’s likely to become more prevalent, including on consumer machines and applications, in the next few years.
“These document-detecting samples represent a new trend for VBA-based [Microsoft Office] malware. We expect this type of evasion techniques in more sophisticated malware – not with less formidable macro malware,” Fenton told Threatpost.
If malicious programs are able to take shelter when discovered, researchers won’t be able to find them as easily. Fenton warned that current approaches to malware testing don’t always allow for a fair evaluation of samples that actively evade analysis.
“Testing malware is hard and there’s a lot that can go wrong, especially if you don’t rely merely on simple signatures but instead detect malicious behavior,” said Fenton. For a fair evaluation of an AV product, any test must be done in such a way as to exercise the most malicious code and invoke realistic behaviors from the malware samples.”
Going forward, anti-virus vendors may need to make their virtual machines increasingly “lifelike”, rather than providing sterile environments with the bare minimum of software installed. This would offer a higher chance of catching the malware, at the expense of longer deployment times.
