MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows

AhnLab Security Emergency response Center (ASEC) is monitoring various anti-sandbox tactics to evade sandboxes. This post will cover the rather persistent anti-sandbox technique that exploits the button form of the malicious IcedID Word files and the evasion feature of AhnLab’s MDS which is meant for detecting malicious behavior. An anti-sandbox technique that exploits the button form is contained within the malicious IcedID Word file (; however, a 2-step process is required to be done by a user before the malicious behavior triggers. Figure 1 shows what happens immediately after the Word file ( known as IcedID is opened.  A pop-up window (Step 1) disguised as an error message is triggered by the macro code in Figure 2. The macro code will only proceed to the next stage if the [OK] or [Close] buttons are clicked on the pop-up window.

Figure 1. Pop-up windows that appears when is opened

Figure 2. Macro code that triggers the first pop-up window

Figure 3 shows the screen that is displayed after a button on the pop-up window in Figure 1 is clicked. As shown in Figure 3, a form window that requires user input (Step 2) is displayed. Although there are a total of 3 inputs that can be made to close the form, them being the send (btnSend_Click), cancel (btnClose_Click), and close (UserForm_QueryClose) inputs, if you look at the macro code in Figure 4, you can see that all three inputs lead to the activation of malicious behavior (feedbackAction).

Figure 3. Form input window that appears when the first pop-up window is closed

Figure 4. Macro code that triggers the form input window

Figure 5 shows the code that executes the malicious behavior that is ultimately triggered after step 2 of the anti-sandbox trick explained above. This code performs backdoor features as it receives and executes additional commands from a C2 server.

Figure 5. C2 connection triggering after input is made in the form input window

MDS products have anti-sandbox evasion features to detect malicious behaviors. When these types of files are detected, MDS products (which are APT detection solutions) utilize the MDS Agent to execute the file in a secure sandbox environment, in order to confirm whether or not it is malware. Due to its anti-sandbox evasion feature related to these types of pop-up window inputs, MDS products can alert users that a file is malicious by causing it to exhibit its final malicious behaviors. For example, a remote command like downloading files. This is displayed in the following figure.  

Figure 6. AhnLab MDS detection result after using anti-sandbox evasion feature

AhnLab detects and blocks malicious IcedID Word files that use anti-sandbox techniques with the aliases below.

[File Detection]

  • Trojan/DOC.Agent (2021.08.19.00)

[IOC Info]

MD5 – bef1a9a49e201095da0bb26642f65a78 :

C&C URL  – hxxps[:]//fusuri-solt-down[.]com/ecm/ibm/1629235716/feedback

More details about AhnLab MDS which detects and responds to threats unknown to sandbox-based dynamic analysis can be found here on the AhnLab page.

The post MDS’ Evasion Feature of Anti-sandboxes That Uses Pop-up Windows appeared first on ASEC BLOG.

Article Link: