Sandbox Evasion Using VBA Referencing

The sandbox, last line of defense for many networks, isn’t what it used to be. Watch Votiro’s researcher, Amit Dori, shows how attackers can bypass sandbox security, inserting malicious code on servers without getting flagged, by taking advantage of basic rules of how VBA (Visual Basic for Applications) macros and sandboxes operate. If once a sandbox could “arrest” a VBA macro based on its anomalous structure or attempted activity, the method we demonstrate shows how attackers can hide their capabilities and change their actions to evade detection by sandboxes.

The trick is in taking advantage of VBA’s support of referencing methods from another remote VBA project, and principles of sandbox security, which let files do whatever they were programmed to do without impediment or limitation, in a supervised environment. In our presentation, we demonstrate how malicious actors might take advantage of these principles to carry out attacks: An attacker prepares two documents. One document, containing macros that trigger malicious actions, is placed on the attacker’s server.A second document, sent to the victim, contains a macro that simply calls functions from the malicious document. If that document is executed within a sandbox, the attacker is alerted that a sandbox environment is present, and the macro is being served an “innocent” function or an empty one. When the document passes through the sandbox onto the user’s machine, the attacker is informed that it’s operating in a user environment, and unleashes the malicious macro. The attacker can pull this off without having to use any sandbox-evasion capabilities. How does the attacker guarantees shipping a benign file for sandbox environments and a malicious file for a user environment without applying any sandbox evasion tricks? How do commercial sandboxes react to this technique?

All this and more is answered in the above presentation.