Researchers are warning of a spammed-out malicious attack that has added virtual machine (VM) evasion techniques, in a bid to avoid detection by anti-virus researchers.
As most of us know, spear phishing is a targeted version of a regular old phishing scam by which an attacker attempts to trick the user into doing something online they should ideally think twice about before doing, such as disclosing personal information, clicking on a link, and downloading an attachment.
Phishing is a form of social engineering. As such, it does not typically rely so much on technical skills as it does on an attacker’s ability to lull their target into making poor decisions.
That’s not to say, however, that attacks cannot incorporate sophisticated features.
Amit Dori, a security analyst with the Check Point Threat Intelligence & Research Team, explains in a blog post how one customer recently received a rather typical spear phishing email:
Like in most other targeted spear phishing campaigns, the attack email contains personal information relating to both the target and the “sender,” including their name and company.
It also has a malicious Microsoft Word document attached, that masquerades as an invoice. If the recipient agrees to enable content (macros), the document - which in actuality is a malware downloader - begins executing all commands within its grasp.
Nothing unusual so far. But here’s where it gets interesting.
When the downloader is first activated, it sets to work collecting information about the system on which it is running. There’s a method to this madness, as Dori notes:
“The dropper tries to evaluate the state of the machine. In this case, the code below is used to check if the document was executed in a virtual environment (i.e. a sandbox) and whether it is running alongside well-known debugging programs.”
If the downloader comes across any strings suggesting VMware products are running on the machine, it shuts down and displays an error. It does the same thing if it detects a number of other processes security researchers might use to detect suspicious behaviour, including “FIDDLER” and “WIRESHARK.”
In this way the malware is attempting to avoid analysis by anti-virus experts. In short, if it believes it is being watched it refuses to perform.
Otherwise, the downloader will reveal its file: “word.exe”. That’s not the real Microsoft Word, of course. Instead, it carries a commonly encountered form of malware known to deliver Locky, CryptoWall, and other threats right to a user’s doorstep.
For Dori, this sophisticated spear phishing campaign serves as a harbinger of threats to come:
“The VM and debugging evasion techniques used are quite innovative. It is not surprising that spear phishing attacks have adopted these tricks, as malware often use such techniques to elude security researchers and fly-by detection of Anti-virus programs. We can only assume their methods will become even more complex and sophisticated in the future.”
Given the persistent threat of phishing campaigns, I’d like to urge users to remember some of the key anti-phishing fundamentals. Those include never clicking on a suspicious link or email attachment, never providing personal information to someone whom you don’t know, and disabling macros in Microsoft Office documents by default.
Be sure to commit those security measures to memory, and above all, if you receive a suspicious email, make sure you delete it and don’t click on anything.