Rise of VBS Scripts evading Sandboxes

    We recently experienced new waves of malicious e-mails which use some cool trick to evade Sandboxes. In this blog post we are going to outline shortly our analysis. The e-Mails look like this:

     

    Triage


    VirusTotal Score:


    The attachment is actually not a real RTF but rather a DOCX. RTF might be used to evade simple AV or other mail scanners:

     

    The document includes Macros which are embedded as OLE stream:

     

    The VBA Macro code is heavily obfuscated. This is done to bypass static analysis:


     
    Recent malicious macros include many comments with legit words. Again this is done to make static detection more difficult.

    Dynamic Analysis


    The initial Joe Sandbox analysis shows that Winword.exe spawns cmd.exe with a long command line:

     

    Although the code is obfuscated we can see that it creates a new VBS script on the disc which is then started by the Windows Scripting Host (wscript.exe):

     

      

     

    Once again the VBS file is heavily obfuscated. However we see that it has network related functionality:

     

    Unfortunately if we check the behavior no network traffic has been captured:


    Timer based Sleep Evasion


    Therefore we dig deeper and deobfuscated the VBS script which revealed the following code:

     

    It is traditional sleep evasion which waits 540 seconds before it downloads and executed the main payload. What is special is that it uses the timer() function of VBA to control the sleep duration. The payload is actually an image with a PE file appended:




    The payload dropped is the Cerber Ransomware:




    In order to to analyze this threat we have written a new Cookbook (checkout our Cookbook technology):


    The cookbook accelerates the local system time and simulates 30 minutes time shift in 30 seconds. Since the VBA timer is based on the local system time this will bypass this evasion:


    Full Joe Sandbox Analysis Report:



    Conclusion


     Joe Sandbox is a very flexible and open framework to do malware analysis. In contrast to others Joe Sandbox offers an adaptive tool which enables Cyber Security Professionals to fight malware no matter what evasion is used. Given the power of cookbook together with the in-depth analysis of Joe Sandbox you can detect evasion and bypass it very quickly. In addition malware can be analyzed on any device include bare metal laptops, PCs and phones.


    Call us for a presentation or in-depth demo!