News this week of the Dridex malware campaign (the newest member of the GameOver Zeus Trojan family) should serve as a reminder that you can’t stop what you can’t see. According to the research, the attack vectors remain the same as it ever was, in this instance the malware is executed through phishing emails and Microsoft Office exploits. Additionally, the attack leverages social engineering that convinces its targets to enable the macros required to deliver the malicious payload.
Most interestingly, the attack would not execute until the document was closed, utilizing a method called AutoClose to evade detection.
According to the research, this technique is effective against sandbox detection capabilities. The research notes:
“As sandboxes have adjusted to also ‘wait,’ the ability of the malicious macro to run when the document closes expands the infection window and forces a detection sandbox to monitor longer and possibly miss the infection altogether. No matter how long the sandbox waits, infection will not occur, and if the sandbox shuts down or exits without closing the document, the infection action will be missed entirely.”
Does it seem like we’re stuck on a hamster wheel? Sandbox detection has become a popular security technology in the past five years, in part because the vendors of these solutions convinced their buyers that existing solutions created a security gap. However, as sandbox detection has become widely deployed, attackers have turned their attention to defeating them. We’ve seen malware that monitors mouse clicks to evade detection, malware that sleeps or stalls execution to evade detection and even malware that determines the presence of detection engines and sandboxes to evade detection.
The only logical conclusion is that you can’t prevent what you can’t detect, so this iteration of the Dridex malware should serve as a reminder (or a wake-up call if you’re still snoozing) that attackers are becoming increasingly savvy at evading detection, even in the face of “advanced” detection solutions. Detection is not enough. It is time to take a proactive approach to security. Develop a posture based on isolation and prevention instead of reacting with detection and response.