Macros remain the most popular vector for malware and payload delivery. In fact, malware authors are switching to attack methodologies that leverage MS Office and script-based threats. There was a significant increase in script-based detections (73.55%) and Office based macro detections (30.43%) according to the Malware Threat Report: Q2 2020 Statistics and Trends by Avira Protection Labs.(1) Various techniques are used by threat actors to hide malicious macros, such as evasive VBA and VBA project locked which renders the macro code ‘unviewable’. These threats can be neutralized by OPSWAT Deep Content Disarm and Reconstruction (Deep CDR™ Technology) technology. Deep CDR™ Technology efficacy is described in our previous blog post. In this blog, we will show how Deep CDR™ Technology prevents another advanced malware evasion technique called VBA Stomping.
O VBA stomping foi ilustrado pelo Dr. Vesselin Bontchev na sua introdução ao VBA p-code disassembler. O problema é que o VBA stomping destrói o código-fonte VBA original incorporado num ficheiro do Office e compila-o num código p (um pseudo-código para uma máquina de pilha), que pode ser executado para distribuir malware. Neste caso, a deteção de documentos maliciosos (maldoc) baseada no código fonte VBA é contornada e o payload malicioso é entregue com sucesso. Aqui está um exemplo pormenorizado de "stomping" VBA.
Usando a técnica VBA stomping, o script de macro original é alterado para mostrar uma mensagem simples. Isto impede que os programas anti-malware detectem o conteúdo ativo suspeito no ficheiro. No entanto, a macro continua a ser executável (através do código p) e pede para executar a linha de comando.
Deep CDR™ Technology protects you from all malicious content hidden in files. It removes both macro source code and p-code within documents. Our advanced threat prevention technology does not rely on detection. It assumes all files entering your network are suspicious and sanitizes and reconstructs every file with only its legitimate components. Regardless of how the active content (macro, form field, hyperlink, etc.) is concealed in a document, it is removed before the file is sent to users. Watch the demo video below to understand how Deep CDR™ Technology is effective in the VBA Stomping scenario.
Deep CDR™ Technology ensures every file entering your organization is rendered harmless. This helps prevent zero-day attacks and stops evasive malware from entering your organization. Our solution supports sanitization for over 100 common file types, including PDF, Microsoft Office files, HTML, image files, and many regional-specific formats such as JTD and HWP.
Contacte-nos para saber mais sobre as tecnologias avançadas do OPSWATe para proteger a sua organização contra ataques cada vez mais sofisticados.
Referência:
(1) "Relatório de Ameaças de Malware: Estatísticas e tendências do segundo trimestre de 2020 | Blog da Avira". 2020. Blogue da Avira. https://www.avira.com/en/blog/....
