Malicious Documents Use New Tricks To Evade Detection, Warns Zscaler

Security firm Zscaler has warned of more cyber nastiness after it discovered malicious documents that evade detection by using a new technique.

It seems attackers are enabling macros within malicious Microsoft Word documents as part of their attempt to evade the analysis systems used by anti-virus tools.

Macro Trick

Malicious executables hidden within documents are not a new phenomenon, but attackers are increasingly utilising new techniques to make it harder for security software to detect them proactively, blogged Zscaler.

Zscaler said that attackers are now making use of macros, which of course are pieces of code embedded inside Microsoft Office documents (usually written in Visual Basic). Microsoft Office disables macros by default, but attackers are now apparently “using clever social engineering tactics to lure the user into enabling the macros.”

And it seems that malware authors making the macro code extremely difficult to detect by signature based systems.

“In addition to highly obfuscated macros, malware authors are using multiple techniques in macros to detect the virtual environment and automated analysis systems,” warned Zscaler.

“If any of these anti-VM or anti-sandbox checks is positive then the VBA macro code execution terminates and the end malware payload does not get downloaded on the system shielding it from automated analysis and detection,” said Zscaler. “Alternately, the malicious document will download and install a malware executable on the victim’s system if all the anti-VM checks fail.”

“Malicious documents with highly obfuscated macros have become an increasingly popular vector among cyber criminals to deliver malware executable payloads,” said Zscaler. “By adding newer anti-VM and anti-analysis techniques to the malicious documents itself, the attackers are protecting the end executable payloads from being downloaded and detected by the automated analysis systems.”

Ongoing Problem

The firm advises users to never trust documents that prompt them to enable macros in order to view the content.

In March Microsoft made it tougher for enterprises to fall victim to macro-based attacks that prey on Office users. It implemented a new policy-setting feature in Office 2016 that allows administrators to block macros from untrusted sources.

Despite that, macro-based malware continues to be a thorn in the side of IT departments tasked with securing their organisations’ systems.

Are you a security pro? Try our quiz!