Netskope Threat Research Labs has observed the URSNIF data theft malware being shared among Microsoft OneDrive users. The malware was observed propagating via a malicious Microsoft Word macro which tricks the end user into opening the file and, if macros are disabled, enabling them. The Word macro is heavily obfuscated, making it difficult for traditional antivirus products to detect it. Additionally, a collection of anti-sandbox techniques are employed in attempt to subvert sandboxes and other run-time detection techniques.
Netskope Active Threat Protection detects the malicious Word file as “W97M.Downloadr.DVS” and the resulting URSNIF data theft malware as “Backdoor.Generckd.3415082”.
Analysis of Malicious Word Document
While analyzing this malicious Word document, we found a fake error trick used to lure the victim as well as several anti-sandbox techniques used to bypass automated sandboxes. Once the document file is opened, a very clever but illegitimate error message is shown to fool the victim. The error message looks like a genuine Word error as shown in Figure 1.
Figure 1: Word document with fake error message.
The error message shown in above Figure 1 lures the victim into enabling macros to correct the error encountered with this fake message. The document contains malicious macro code and we can see the code using VBA editor (use ALT + F11). The obfuscated macro code is shown in Figure 2.
Figure 2: Obfuscated macro code inside document.
The macros are split into couple of modules and they are only run when “Document_Close()” function executes.
Anti-sandbox Techniques Employed by the Attack Macro
The malicious Word document will not run in a virtual environment. The macros within the malicious Word document use several anti-sandbox techniques to bypass certain sandbox environments as shown in Figure 3.
Figure 3: Anti-sandbox techniques to bypass sandboxes
The following are some of the anti-sandbox highlights:
- The macros only run their code when the document is closed. This is used to bypass weaker sandbox environments, which only monitor activities for a period of time rather than opening and later closing the document as a real user would.
- The macros check for user name against “PSPUBWS” that is being used to identify the hyb