Advanced Macro Malware that Evades Sandboxes is Stopped by Data Sanitization (CDR)

Recently, McAfee Labs published a report describing advancements in macro-based malware that uses new techniques to evade detection. This malware avoids many of the markers that anti-malware products look for to detect malicious macros. One of these common markers are macros that launch on the document's AutoOpen() or DocumentOpen() events. These macros also do some sophisticated checks to determine whether they are likely being executed inside of a sandboxed environment. If there is anything in the environment that suggests the file is being accessed inside of a sandbox, the malware does nothing in an attempt to evade detection.

This is another advance in the ongoing arms race between malware writers and anti-malware vendors. Now with this method known, anti-malware vendors are sure to add detection for malware using these techniques, and malware writers will find other ways to evade detection. This illustrates the importance of using proactive approaches like MetaDefender's data sanitization technology, also known as content disarm and reconstruction, to remove any potentially malicious objects from common file types. The advantage of this approach is that it avoids the problem of new and more sophisticated types of malware evading detection techniques because all active content that has the potential to be malicious is removed, even if no threat is detected.

If you would like to find out more about MetaDefender's data sanitization technology and how it can help prevent infection by macro-based malware, you can check out our blog.