Spear phishing attacks are a rising threat faced by organizations. These well-planned attacks can deceive even the most cautious users. Unlike old-fashioned mass phishing attempts, these attacks are directed at specific individuals or companies and are tailor-made to fit their target.
Used for a wide variety of reasons from stealing personal information or credentials to spreading malware, spear phishing attacks trick the user into performing a seemingly innocent action that results in serious consequences. The user may end up clicking on a malicious URL link, making a bank transfer, providing restricted information, or opening attachments that download malware.
Recently, Check Point Threat Intelligence and Research encountered a spear phishing campaign that extended beyond the regular scope of social-engineering, involving technical abilities that surprised us all – including evading detection by traditional sandboxes.
The hunt begins: receiving a spear phishing mail
The victim received the following email:
A Microsoft Word document was attached to the mail.
This is another sample of the Word document attachment.
In both cases, there was an inset message from Microsoft, that stated:
“The document was edited in a newer version of MS Office. To correctly load the document, please Enable Content”
The “Enable Content” feature is a security mechanism installed by Microsoft to ensure that documents are not allowed to run Visual Basic commands (also known as macros) without user consent. The user must “Enable Content” to initiate any embedded macros in the document.
Over the past several months, we have seen all sorts of documents trying to get permission to enable macros. Some attempts were more successful than others.
Spear phishing relies on social engineering:
• The message appears to be from Microsoft.
• The message is highly detailed and appears to be authentic.
• The inner frame of the document blocks the user from seeing the full document content.
Once the user presses “Enable Content”, the actual document is displayed and the macros are initiated.
The macros within this document are highly obfuscated and are split into several sections:
- The overall document
- Several modules with various functions
- Two forms that comprise the document:
- The “please Enable Content” frame
- The hidden “invoice”
This document is a downloader, designed to download malware and execute it within the victim’s computer. By enabling content, the user gives consent to the document to execute all the commands within its grasp.
This is not an unusual method of spreading malware. Malicious documents are widely used by attackers to download and execute malware, and infect unsuspecting users who just wanted to read the “invoice.”
So, what’s new?
What is innovative about this attack is the methods employed to evade detection by security vendors and researchers.
Once activated, the dropper first collects information about the system on which it is running:
The dropper tries to evaluate the state of the machine. In this case, the code below is used to check if the document was executed in a virtual environment (i.e. a sandbox) and whether it is running alongside well-known debugging programs.
The execution above translates into the following:
1. Once initiated, Document_Open() starts and calls WNlQyWDP()
2. WNlQyWDP() is used as a selector:
• If all conditions are met, the document proceeds with downloading the malware.
• If not, it produces an error.
3. The selector depends on the result of NAXWwyJJUN(), which tests the system to evaluate its environment:
The code compares the manufacturer (“VMware,Inc.”) and model (“VMware Virtual Platform”) of the environment to a list of strings. If there is a match (“VIRTUAL”/”VMWARE” is a match in this case), the program shuts down.
Furthermore, the program tests the machine for running processes.
If a process that matches one of these names exists, the program shuts down.
Malware writers take these precautions as part of an endless cat-and-mouse game:
Security researchers analyze malware and study their behaviors using tools such as
Wireshark, which captures network traffic, and VMWare, which creates a virtualized machine hosted on a physical machine. This allows researchers to simulate the operation of the malware without damaging the host.
Malware developers try to understand how security researchers operate and take action to disrupt their research. The processes mentioned above are used regularly by security researchers, so the malware’s developers take action to block these specific tools from analyzing their malware.
As we tested this document in a virtual environment (and were shut down), we had to trick the program into running. The easiest way is to swap lines of code so that the program does exactly the opposite of what it was intended to do:
The program now thinks it is running without any interference and the downloaded file is revealed.
This function starts the download procedure. First, it generates the site’s address.
It then performs a GET request via a XMLHTTP request.
In this case, the downloaded malware “word.exe” is a well-known malware, which scores 42/57 on VirusTotal . These kinds of documents are known to deliver many types of malware, including Dridex, CryptoWall and the notorious Locky.
From this point on, the document proceeds as “usual”, executing the malicious file and infecting the machine. It achieves its malicious goal, and infects another user.
As mentioned before, the VM and debugging evasion techniques used are quite innovative.
It is not surprising that spear phishing attacks have adopted these tricks, as malware often use such techniques to elude security researchers and fly-by detection of Anti-virus programs. We can only assume their methods will become even more complex and sophisticated in the future.
Indicators of Compromise
Check Point protections
Check Point SandBlast Protection keeps users safe from spear phising and other sophisticated threats using its two major components:
1. Threat Extraction detects these types of attacks and removes exploitable content; proactively provide users with clean, reconstructed files containing only safe elements
2. Threat Emulation identifies and blocks this attack, using cutting edge threat emulation techniques, including CPU-level detection.