Maldocs: More on Bypass & Detection!

Co-author: Adair Collins

Overview

In our prior posts on Maldocs!, and New! Sandbox Model for Maldocs we gave a complete breakdown on analysis of maldocs, followed by improving sandboxes for detection. In this article, we will focus on malware sandbox detection limitations, bypass techniques and how we could further improve Sandbox detection of maldocs. It has been assumed that sandboxes by default executes all the components of a maldoc, in order to analyze the malware that is embedded in it. In reality, most sandboxes are limited to AutoOpen macros for execution of embedded OLE objects.

Malware Sandbox Simple Bypass Technique

Sandboxing technology has evolved, and so have the malware. In this ongoing race between the malware and sandboxes, we have observed that we are playing a catch up game with the attackers. The ideas in this article are being shared to encourage the improvement of sandbox analysis techniques.

File extension mismatch (.RTF -> WordPad)

Some ".docx" documents that are saved with ".rtf" extensions do not get deployed to Microsoft Word within the sandbox virtual machine, but instead is opened by WordPad. Since the document cannot be rendered by WordPad, it is not analyzed or may even be whitelisted. This is happening because, some malware sandboxes do not validate the filetype prior to deploying the file within the VM.

For test purposes, we have created two files, (1) FakeRTF.docx (renamed to FakeRTF.rft) and (2) RealRTF.rtf (a real RTF file). If you would like to replicate the same, please do so within the sandbox VM to see if your sandbox is detecting the same.

$ file RealRTF.rtf 

RealRTF.rtf: Rich Text Format data, version 1, unknown character set

$ file FakeRTF.rtf 

FakeRTF.rtf: Microsoft Word 2007+

FakeRTF.rtf: Microsoft Word 2007+ as shown in the above file command, has an extension of ".rtf" in the filename. This was the file that was created with a ".docx" extension and then renamed to ".rtf", which should be detected as an anomaly by the sandboxes.

Unsupported Macro Execution Types

Most sandboxes rely upon AutoOpen macros to execute OLE objects, but how many are configured to detect AutoClose, and act accordingly by closing the document in order to execute the macro that executes the object within the document?

Click to Exploit via OLE Objects

No macros, no problems? The general consensus is that if we do not see macros in a document, we should be fine. But that is not true! We have observed click-to-exploit maldocs that bait the users to click on embedded OLE object that executes the malicious scripts or binary.

• Does not allow for the processing of phishing email with attachment:
• Password protected archive (extract password from email (EML file)
• Password protected Office Document (extract password from EML file)
• Does not provide decoded copy of obfuscated malicious script:
• Scripts change exec to print/echo for decoding (example) use online Powershell site and online JavaScript site

Improved Analysis Process

This has been discussed in our previous post, and the steps shown below:

• Verify Document Type
• .RTF vs .DOCX (filemagic/exiftool/YARA)
• Does the Document contain a Macro? if so what type:
• AutoOpen, AutoExec, AutoClose the file as instructed within the file macro.
• AutoCloseEach (If the maldoc contains this type of macro, it will execute on close). Is your sandbox intelligent enough to detect this condition and close the maldoc to allow for execution and analysis?
• Uncompress (pkzip) and extract
• If there is no Macro, does it contain a OLE object (think, click to exploit) Keyword: relationships/oleObject
• If so, extract and scan with YARA. Keywords: powershell.exe, wscript.exe, cmd.exe, mshta.exe.
• If keyword(s) are detected, then send extracted OLE object to sandbox for analysis
• Can insensitive search and also include commonly used chars for obfuscation and concatenation.

Our maldocs and the sandbox model articles cover from the aspects of analysis, and we wanted to share one on the integration of those two to shed light on how to make the sandbox and detection better.

If you find this article to be interesting, please share your comments on what you have observed and your personal experience.

“A smart man makes a mistake, learns from it, and never makes that mistake again. But a wise man finds a smart man and learns from him how to avoid the mistake altogether.”  ―   Roy H. Williams

Disclaimer: Please note that these posts and what is described in them are for educational purposes only. Opinions expressed are solely my own and do not express the views or opinions of my employer.