Sandbox Evasion Using VBA Referencing

Dark blue background with text in center that reads "Reference This: Sandbox Evasion Using VBA Reference" and a logo of "Votiro Secured." in bottom right

The sandbox, last line of defense for many networks, isn’t what it used to be. Watch Votiro’s researcher, Amit Dori, shows how attackers can bypass sandbox security, inserting malicious code on servers without getting flagged, by taking advantage of basic rules of how VBA (Visual Basic for Applications) macros and sandboxes operate. If once a sandbox could “arrest” a VBA macro based on its anomalous structure or attempted activity, the method we demonstrate shows how attackers can hide their capabilities and change their actions to evade detection by sandboxes.

The trick is in taking advantage of VBA’s support of referencing methods from another remote VBA project, and principles of sandbox security, which let files do whatever they were programmed to do without impediment or limitation, in a supervised environment. In our presentation, we demonstrate how malicious actors might take advantage of these principles to carry out attacks: An attacker prepares two documents. One document, containing macros that trigger malicious actions, is placed on the attacker’s server.A second document, sent to the victim, contains a macro that simply calls functions from the malicious document. If that document is executed within a sandbox, the attacker is alerted that a sandbox environment is present, and the macro is being served an “innocent” function or an empty one. When the document passes through the sandbox onto the user’s machine, the attacker is informed that it’s operating in a user environment, and unleashes the malicious macro. The attacker can pull this off without having to use any sandbox-evasion capabilities. How does the attacker guarantees shipping a benign file for sandbox environments and a malicious file for a user environment without applying any sandbox evasion tricks? How do commercial sandboxes react to this technique?

All this and more is answered in the above presentation.

background image

News you can use

Stay up-to-date on the latest industry news and get all the insights you need to navigate the cybersecurity world like a pro. It's as easy as using that form to the right. No catch. Just click, fill, subscribe, and sit back as the information comes to you.

Subscribe to our newsletter for real-time insights about the cybersecurity industry.