Preventing Evasion Techniques in Excel Files with Deep CDR

Originally published on June 05, 2020.

Preventing Evasion Techniques in Excel Files with Deep CDR

Malware is ever-evolving, and so are malware evasion techniques. In a study conducted by the University of Genoa which analyzes 180,000 Windows malware samples, as many as 40% of them utilize at least one evasive technique. In this blog post, we explore two methods used by threat actors to bypass antivirus (AV) software.

We’ll look at a malware sample to learn how attackers use seemingly harmless Excel files to infect organizations. The file contains a macro that downloads a stenography file and decodes it to extract a malicious payload.

VelvetSweatshop password

The "VelvetSweatshop" default password is an old vulnerability that was first introduced in 2012. It was most recently used to spread the LimeRAT malware. Cybercriminals chose this tactic because Microsoft Excel has capability to use the embedded, default password VelvetSweatshop to decrypt a file, open it in read-only mode without a password requirement, and simultaneously run on-board macros.

By encrypting the sample file with the VelvetSweatshop password, some anti-virus scanning engines were thwarted from detecting the malicious code. In our tests, only 15 of the 40 AVs found the threat.

Password-protected Macro

Just like password-protecting a worksheet, Microsoft Excel enables users to lock a macro in Excel against viewing. However, this feature does not encrypt the macros.

When we used this feature to hide the sample malware macro, this also made some AVs’ detection less effective. Three AV engines, which successfully detected the malware sample, could not see the threat when the macro was password-protected.

What happens if we combine the two tactics?

When applying both the VelvetSweatshop Password and the Password-protected Macro feature to help the malicious sample bypass detection, we witnessed a significant decrease in the scanning result. Only 13 of the 40 AV engines were able to detect the threat.

What is the solution to prevent malware evasion techniques?

Threat actors always look for new techniques to hide their malicious files from antivirus systems. One of best practices to defeat evasive malware is disabling all potentially malicious objects in files transferred into your system. Even a harmless macro can become a vulnerability later.

OPSWAT Deep Content Disarm and Reconstruction (Deep CDR) removes all embedded active content in files (including macros, OLE objects, hyperlinks, etc.) and reconstructs the files with only legitimate components. Additionally, Deep CDR enables you to investigate password-protected macro without knowing the password. This industry-leading technology from OPSWAT is highly effective for preventing both known and unknown threats, including zero-day targeted attacks and advanced evasive malware.

Visual representation of the Deep CDR process showing how embedded active content in files, like videos, objects, and links, are removed, processed, and sanitized

After having the sample sanitized by Deep CDR, we now have a threat-free file with full functionality.

If macros are required for your business operations, it is important to simultaneously scan every file with multiple AVs to increase the chances of threat detection. OPSWAT pioneered the concept of Multiscanning, scanning files with 30+ commercial anti-malware engines. Combining various analysis mechanisms and techniques, including Signatures, Heuristics, AI/ML, and Emulation, OPSWAT Multiscanning technology helps you maximize detection rates with a low Total Cost of Ownership (TCO).

Learn more about OPSWAT Deep CDR and Multiscanning or talk to an OPSWAT technical expert to discover the best security solution to prevent zero-day and advanced evasive malware.

Talk to an Expert

Sign up for Blog updates!
Get information and insight from the leader in advanced threat prevention.