AhnLab Security Emergency response Center (ASEC) is monitoring various anti-sandbox tactics to evade sandboxes. This post will cover the rather persistent anti-sandbox technique that exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior. An anti-sandbox technique that exploits the button form is contained within the malicious IcedID Word file (convert.dot); however, a 2-step process is required to be done by a user before the malicious behavior triggers. Figure 1 shows what happens immediately after the Word file (convert.dot) known as IcedID is opened. A pop-up window (Step 1) disguised as an error message is triggered by the macro code in Figure 2. The macro code will only proceed to the next stage if the [OK] or [Close] buttons are clicked on the pop-up window.
Figure 3 shows the screen that is displayed after a button on the pop-up window in Figure 1 is clicked. As shown in Figure 3, a form window that requires user input (Step 2) is displayed. Although there are a total of 3 inputs that can be made to close the form, them being the send (btnSend_Click), cancel (btnClose_Click), and close (UserForm_QueryClose) inputs, if you look at the macro code in Figure 4, you can see that all three inputs lead to the activation of malicious behavior (feedbackAction).
Figure 5 shows the code that executes the malicious behavior that is ultimately triggered after step 2 of the anti-sandbox trick explained above. This code performs backdoor features as it receives and executes additional commands from a C2 server.
MDS products have anti-sandbox evasion features to detect malicious behaviors. When these types of files are detected, MDS products (which are APT detection solutions) utilize the MDS Agent to execute the file in a secure sandbox environment, in order to confirm whether or not it is malware. Due to its anti-sandbox evasion feature related to these types of pop-up window inputs, MDS products can alert users that a file is malicious by causing it to exhibit its final malicious behaviors. For example, a remote command like downloading files. This is displayed in the following figure.
AhnLab detects and blocks malicious IcedID Word files that use anti-sandbox techniques with the aliases below.
- Trojan/DOC.Agent (2021.08.19.00)
MD5 – bef1a9a49e201095da0bb26642f65a78 : convert.dot
C&C URL – hxxps[:]//fusuri-solt-down[.]com/ecm/ibm/1629235716/feedback
More details about AhnLab MDS which detects and responds to threats unknown to sandbox-based dynamic analysis can be found here on the AhnLab page.
[…] post MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows appeared first on ASEC […]