Malware Sandbox Evasion Using VBA Macros: How it Works

April 26, 2020

The sandbox – an isolated testing environment where a file or program from untrusted sources can be executed – is a common method of cyber-defense for many networks. The sandbox is designed to ensure that if a program or file is malicious, it will be discovered and blocked without compromising organizational security. Sandboxing is also useful in stopping advanced persistent threats (APTs) that bide their time on a network with the goal of stealing corporate data over time. With sandboxing, security experts can observe any suspicious code before any negative consequences occur. 

Unfortunately, hackers have figured out how to detect a sandbox environment and bypass the sandbox’s protection. Common techniques for sandbox detection include detecting virtualization via Hypervisor, virtualization DLLs, side channels or unusual hardware; or by identifying an artificial environment via cookies or browser history, recent file count, screen resolution or by detecting old vulnerabilities. Common techniques for malware sandbox evasion include defeating the monitor by removing or working around hooks or by delaying malware execution; or by being context-aware by checking for user interaction, date or time zone, or encrypted payloads. All of these techniques require code execution in order to operate effectively.

A lesser known – but highly effective approach to malware sandbox evasion – is by taking advantage of basic rules of how Visual Basic for Applications (VBA) macros and sandboxes operate. This technique doesn’t require code execution in order to detect the sandbox environment.

Malware Sandbox Evasion using VBA Referencing

VBA refers to simple codes – or macros – that perform a series of tasks or commands within a targeted computer program.  These macros connect files and allow them to communicate with each other based on events or actions that take place within those programs. This capability is clearly documented in Microsoft’s MS-OVBA document:

Hackers can easily take advantage of VBA’s ability to reference another remote VBA project in order to carry out attacks. Test have shown that this attack approach is most likely to succeed in Microsoft Excel.

Here’s how:

An attacker prepares two documents. One document, containing macros that trigger malicious actions, is placed on the attacker’s server. A second document, sent to the victim, contains a VBA macro that simply calls functions from the malicious document.

The attacker then differentiates between the sandbox and user’s environment. If the document is executed within a sandbox, the attacker is alerted that a sandbox environment is present, and the macro simply serves a benign or empty function. However, when the document passes through the sandbox onto the user’s machine, the attacker is informed that it is operating in a user environment and unleashes the malicious macro. The attacker can pull this off without having to use any malware sandbox evasion capabilities.

A deeper dive into the VBA Referencing approach

Here’s how attackers can differentiate the sandbox environment:

The sandbox generally disables Protected View as it causes bottlenecks in the system. The sandbox can then immediately load the VBA engine and only then load the images. In a user environment where Protected View is enabled, the images load first followed by the VBA engine.

The attacker can look at the order of the requests to determine whether his code is in a sandbox environment or not:

Depending on his findings, the attacker can then weaponize the code.

Using this method, the attacker is able to bypass sandbox security, inserting malicious code onto servers without getting flagged.

If once a sandbox could “arrest” a VBA macro based on its anomalous structure or attempted activity, the VBA referencing method allows attackers to hide their capabilities and change their actions to evade detection by sandboxes. The VBA referencing technique was tested against seven of the leading sandbox providers, and all seven were evaded successfully, with the malicious file opened on the user’s machine. Clearly, sandboxes are not as bullet-proof as once thought.

Suggestions for Mitigation

There are a number of steps a company can take to mitigate this type of malware sandbox evasion method:

  1. Block FTP/SMB inbound/outbound traffic on user (not on the sandbox)
  2. Rethink your fundamental sandbox solution architecture design
  3. Consider restricting Internet access to all Office products
  4. Implement Positive Selection technology

Demonstration

To see a demo of how malicious actors might take advantage of VBA references to evade the sandbox and carry out attacks, click here or watch below.