A Small Change Is the Best Evasive Technique

We all know that email is the path most traveled by cyber attackers when targeting organizations. Email attachments are used by attackers to inject malware into an organization in order to create the beachhead that facilitates the rest of the attack. We know that people can’t resist opening attachments.

In this post I will demonstrate how easy it is to bypass most security means that scan email attachments. We use the score on VirusTotal to show how we take a malicious Word attachment and transform it from a score of 17 (/60) to a score of 1 (/60) through a set of simple manipulations. VirusTotal is the de-facto benchmark for most security products that analyze attachments. The 1/60 score basically means that the file we have created will get through most relevant security products on the market today.

Technical details

Let’s assume that I’m an attacker and that I have put together an excellent ransomware attack. I plan to deliver a document via email that would drop and launch my malicious code. This is pretty easy to do using VBA macros. Under relevant security settings, Office applications allow me to run Visual Basic code that executes under the application’s process with the user’s privileges.

Let’s assume that I have a server, waiting to deliver my ransomware, and that I’ve created a Word document with the macro shown in figure 1. This macro implements the ‘Document Open’ function that runs automatically when the Word opens the document. It creates a powershell process that downloads the executable, places it in “c:\windows\temp” and launches it.

figure-1
Figure 1

It’s pretty straight forward; the code is neither obfuscated nor sophisticated so I would expect very high detection rate in VirusTotal. The results are rather disappointing; less than a third of the vendors marked this file as malicious.

17/60

Still, if I want to spread this file, I would prefer a much lower detection rate for my file.
I assume that many attackers use Document_Open() to autorun their code. Since most security solutions today base their signatures on past attacks, I need to come up with a slightly different method, so I may be able to bypass them. Instead of Document_Open(), I will use Document_Close(), which means that my code will run automatically when the document is closed. That did the trick for four more vendors.

So far I have managed to bypass 47 out of the 60 vendors – not bad!

Next, I will try not to have “exe”, “http” and “powershell” strings in the code. Instead of spending my time trying obfuscating, I have broken-up the very same string I had before and concatenated it into one variable, whose name was changed to ‘a’. The code shown in figure 2 managed to bypass one more vendor. 48 vendors are out, 12 are still in the game.

figure 2
Figure 2

12/60

At this point I had to think a little bit out of the box. Almost every attacker uses obfuscation, so that road is probably well covered. I’ll just place the Powershell execution line in the document properties, under the “Subject” field, and read it from there. Figure 3 shows what the code looks like.

Figure-3
Figure 3

The code is running as expected, and when I tested the file on VirusTotal, I saw the pleasing result that you can see in figure 4.

1/60

Figure-4
Figure 4

Only one vendor detected this file! My guess is that the other vendors didn’t see this kind of technique before. If I want to start spreading my ransomware at this point, all I need to do is to decorate the email with nice emojis and spread it to any email address I know.

In contrast with almost all other security products, BitDam does not rely on chasing the “attack du-jour”, and thus is able to “see” the maliciousness of the file despite any manipulations we use. If you want to get better protection against malicious email attachments check out BitDam’s solution or schedule a demo.

About the author

1 thought on “A Small Change Is the Best Evasive Technique

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *