adam121 - Fotolia

How can obfuscated macro malware be located and removed?

A new type of macro malware has the ability to evade the detection of virtual machines and sandbox environments. Expert Nick Lewis explains how to find and remove this malware.

Researchers at SentinelOne Inc. have found a new type of document-based macro malware that lies dormant to evade detection by sandbox test environments and virtual machines. The malware also checks the targeted system's IP address against a blacklist of IP addresses that belong to security firms, and, if there is a match, the malware does not execute. How can enterprises locate and remove macro malware with these types of obfuscation techniques?

Malware researchers face a problem when trying to test software without affecting live data or impacting real users. Using an infected endpoint could expose real data and systems to additional risk, and could potentially impact productivity for the end user (and the researchers).

Real systems could also pose many different challenges, and do not contain the necessary tools for analyzing the contents of memory, like Memoryze and Volatility, or debuggers, like IDA Pro and OllyDbg.

It is necessary to monitor the contents of memory, as well as the potentially malicious process, to determine which actions it will take to detect and remove it from a system and prevent further occurrences.

It is also difficult to automate analysis for these systems. For these reasons, researchers and vendors use test systems.

However, malware authors may find these test systems easier to identify, as researchers at SentinelOne found during their analysis of new macro malware that behaved unpredictability -- by not displaying malicious activity.

This is due to an obfuscation technique the macro malware employs when a malicious Word document is opened; it checks if at least three other Word files have been opened to determine if it is on a real system or on an analysis virtual machine (VM) or sandbox environment.

The malware also checks to see if it's on a VM by obtaining information about the IP address of the host system; if the IP address is associated with a known security or hosting company, then the malware stays dormant.

Macros are necessary for automating repetitive tasks used in data analysis in spreadsheets, or for adding complex formatting to many documents. More complex macros can perform advanced actions on a system, like downloading and executing malicious code.

The new checks this type of macro malware uses, along with prior obfuscation techniques used in examples such as the SFG malware dropper, show the steps malware authors are taking to increase the difficulty of performing an analysis.

Making the malware more difficult to analyze for researchers does not impact their ability to detect or remove the malware from an infected endpoint. An endpoint security tool is needed to identify the malicious behavior and to record any potential changes to a system. The malware still needs to get onto a target system, which can be addressed with the researcher's standard tools. 

Next Steps

Find out why macro malware authors are making the switch to using Object Linking and Enabling technology

Learn how Latentbot malware prevents detection with layers of obfuscation

Read about the changes made to the Darkleech campaign and how to spot them

Dig Deeper on Threats and vulnerabilities