Yoroi-Cybaze analyzed three cybercrime techniques, well known by the infosec community, but still successfully used to avoid detection
Cybercrime tricks are evolving every day to bypass companies security defences. Not only to launch cyber attacks, but also to avoid detection. Yoroi-Cybaze cyber security experts analysed three teqniques currently abused by various threat actors, in order to help security operators, industry and companies to mitigate their effects. The first one is “The Broken Doc”. According to the company’s blog, cyber criminals often exploit a “voluntary document corruption”, to persuade the user to restore the original file and to download the malicious payload without noticing any suspicious alert. The second is “Hide Payload with Office Developer Mode”. Especially in control objects: components often not visible to the end users. The last one is “Spoofed Signature”or “Certificate Spoofing”. This technique allows malware to easily bypass a relevant portion of anti-virus engines, even if they employ identification techniques theoretically able to detect encrypted and packed threats.
“The Broken Doc” technique
According to the cyber security experts, in “The Broken Doc” case, some bytes have been deleted by the attacker without impacting the behavior of the exploit, and a strage popoup window appears, alerting the presence of a “link” referring to external files. Once the user will open the crafted file, MS Word displays a different popup message: now it reports the document is corrupted and asks to confirm its restoration. A totally different message than the previous one, letting the victim think the document is just broken. After the “Yes” click, MS Word automatically restores the file content and starts the exploit, which will download and execute other malware.
“Hide Payload with Office Developer Mode”
The “Hide Payload with Office Developer Mode”, instead, leverages that in most Office installations, the developer tab is disabled by default, so it is even more difficult to identify the presence of anomalous objects. This technique has been employed in a sample Yoroi-Cybaze analyzed few time ago too. Opening it, the document looks like many others. However, the macro code analysis reveals that the real payload is contained elsewhere, in particular in an object that appears as a tiny text box just after the enabling of macro code. After enabling Word developer mode, “we were able to explore the object content: the Base64 encoded payload”. But, without enabling it, it is impossible to select and modify the object’s properties. Using this strategy, the malware is put in a section which is more difficult to detect, both for automatic and manual analysis, obtaining a lower detection rate during static analysis.
“Spoofed Signature”or “Certificate Spoofing”
The “Certificate Spoofing”, finally, cybercrime hackers not only hide the malware to a relevant portion of anti-virus engines. According to the cyber security experts, they could also obtain a valid certificate for his payload stealing cryptographic keys to legit owners or leveraging rogue companies, as Yoroi-Cybaze observed in the signed Email Stealer used by the TA505 hacker group. However, in many cases evading detection could require less effort: even an invalid certificate is enough to achieve the goal, such as in a recent Ursnif attack campaign. Using certificate spoofing techniques an attacker may sign an arbitrary executable using an arbitrary certificate from any website. As study case, the researchers reproduced this techniques signing a known Emotet binary leveraging the Symantec website certificate. This trick led to a decrease of the VirusTotal detection rate from 36 to 20. Even Symantec AV didn’t detect the sample as malicious!