Recent versions of the Ursnif banking trojan have added a new series of tricks that allows the malware to detect when it’s being analyzed in a virtual machine or a sandbox environment.
These recent Ursnif samples have been seen recently, in the month of September, spread via macro-laced Office files attached to spam emails.
Before downloading and installing the malware, these macro scripts would perform a series of checks to determine if the PC they landed on is a real computer or a virtual machine or sandbox environment.
Proofpoint researchers identified four checks, of which, two were new, never seen before.
The first new check was a lookup for unique characters in the names of local files. The macro script was specifically looking to see if local files contained only hexadecimal characters in their names.
Files submitted to analysis in sandbox environments and VMs are often renamed based on their SHA256 or MD5 hash, in order for researchers to keep track of the exact payload. SHA256 and MD5 hashes are only made up of the hexadecimal character set: 0123456789ABCDEFabcdef.
If the macro script found files with other types of characters, such as “w,” “=,” or “#,” then it knew this was a regular PC and not a researcher’s box, and go on with its installation procedure.
The second check is even more clever, with the macro script using the Application.Tasks.Count function to query the local OS for the presence of running processes with a graphical interface.
If the script found less than 50, the macro script would stop, thinking this was a test box for detecting malware.
“A quick check of a real system shows that it is common to have more than 50 tasks, while sandbox systems are optimized to have as few as possible,” the Proofpoint staff explained this check.