Security researchers recently observed a phishing campaign that uses innovative macro tactics to deliver the Ursnif banking Trojan while evading sandbox detection.

According to Trend Micro, the macro embedded into the spam email uses PowerShell’s AutoClose feature to delay execution until the document carrying the macro is closed. This allows the threat actors to elude detection tools.

A Tricky Trojan

Attackers have long used malicious macros to distribute banking Trojans and other malware, SecurityWeek reported. This particular method is designed to confuse sandboxes by disassociating the causative document from the malicious action. Like many spam campaigns, the attackers employ social engineering tricks to convince victims to enable macros manually.

The Trend Micro researchers noted that, due to its ease of implementation, this technique is “becoming a common feature is many malicious macros.”

More Tricks to Dodge Sandbox Detection

The Trend Micro team also discovered another sandbox evasion method that involves checking enumeration values, which indicate what features are present in various versions of Microsoft Office. For example, one value called xlAutomaticAllocation is only present in Office versions issued after 2007.

By checking for this value, malicious actors can determine which version of Office a victim is using. This is key, since many sandboxes only use Office 2007 for automated analysis. If the enumeration value is greater than zero, meaning that the value is active, the threat actors can be reasonably sure that they aren’t executing the malware in a sandbox.

Checking Hash Length to Hide From Sandboxes

Many detection programs also create hashes for file names they analyze. Since a hashed file name is always longer than 30 characters, the threat actors can simply check the length to determine whether their malware is in a sandbox.

The new techniques described above highlight the fact that malware authors constantly tweak their code to stay one step ahead of researchers. Security professionals must account for these tactical shifts and adjust their strategies accordingly.

More from

Why Cybersecurity Risk Assessment Matters in the Banking Industry

When customers put money in a bank, they need to trust it will stay there. Because of the high stakes involved for the customer, such as financial loss, and how long it takes to resolve fraud and potential identity theft, customers are sensitive to the security of the bank as well as fraud prevention measures. Banks that experience high volumes of fraud are likely to lose customers and revenue. The key is to protect customers and their accounts before problems…

What CISOs Should Know About CIRCIA Incident Reporting

In March of 2022, a new federal law was adopted: the Cyber Incident Reporting Critical Infrastructure Act (CIRCIA). This new legislation focuses on reporting requirements related to cybersecurity incidents and ransomware payments. The key takeaway: covered entities in critical infrastructure will now be required to report incidents and payments within specified time frames to the Cybersecurity and Infrastructure Security Agency (CISA). These new requirements will change how CISOs handle cyber incidents for the foreseeable future. As a result, CISOs must…

Will the 2.5M Records Breach Impact Student Loan Relief?

Over 2.5 million student loan accounts were breached in the summer of 2022, according to a recent Maine Attorney General data breach notification. The target of the breach was Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that intruders accessed student loan account registration information between June and July 2022. The stolen data includes names, addresses, emails, phone numbers and social security numbers for 2,501,324 student loan…

Containers, Security, and Risks within Containerized Environments

Applications have historically been deployed and created in a manner reminiscent of classic shopping malls. First, a developer builds the mall, then creates the various stores inside. The stores conform to the dimensions of the mall and operate within its floor plan. In older approaches to application development, a developer would have a targeted system or set of systems for which they intend to create an application. This targeted system would be the mall. Then, when building the application, they would…