Malicious macros employing new sandbox evasion techniques

(Sean Whalen) #1

I came across this report from ProofPoint which describes a few new sandbox evasion methods that are being used in macro droppers for Dridex, Nynaim, and Usniff.

The first method is to identify the owner of the connecting IP address, and check if a name contains one of the following blacklisted terms, which are clearly targeted at identifying datacenters and security firms:

“Amazon”, “Anonymous”, “Blue Coat Systems”, “Cisco Systems”, “Cloud”, “Data Center”,
“Dedicated”, “ESET, spol”, “FireEye”, “Forcepoint”, “Hetzner”, “Hosted”, “Hosting”,
“LeaseWeb”, “Microsoft”, “NForce”, “OVH SAS”, “Security”, “Server”, “Strong Technologies”,
“Trend Micro”, “blackoakcomputers”

The second technique will only download the malicious payload if there are three or more Microsoft Documents in the Windows recent files list.