CylancePROTECT® Feature Release: Macro Script Control

Cylance® continues to revolutionize endpoint security by blocking threats pre-execution, before they ever cause harm. We are pleased to announce that we have added a new feature (patent pending) called Script Control for Office Macros, which stops macro-based threats in real time.

CylancePROTECT already defends the endpoint against threats like malicious PE files and active scripts. Now, we go one step further protecting users from weaponized documents by moving our protection up another level on the “Cyber Kill Chain.”

Fighting Malicious Macros

Recently, Microsoft® stated that 98% of Microsoft Office-targeted threats leverage macros. Cylance responded by developing Script Control to target malware and ransomware infections at the source.

While the attack vector itself is nothing new, macro-based attacks utilized by malware families such as Donoff, Adnel and Bartallex are still among the most common threats seen in cybersecurity today. On top of that, the methods being used for infection are changing and evolving by the day, sometimes by the minute.

Obfuscated_Macro_Image_For_Blog.jpg

Macro Obfuscation

The first step in malware analysis is to take a look at the code itself. This is called static analysis. A peek inside the “DNA” of the malware can reveal the information needed for legacy AV security vendors to create the signatures they need in order for their products to work. However, many macro-based attacks utilize complicated anti-analysis and obfuscation techniques, thereby evading legacy antivirus products and independent security testers alike.

If static analysis doesn’t provide a clear identification pattern, security professionals use a technique called dynamic analysis. This entails running a malicious sample in a virtual environment on a virtual machine (VM). The malware thinks it’s on a real machine and will conduct its infection processes. This reveals information to the security analyst called indicators of compromise (IOCs). These can be used by security products for detection. While this can be an effective analysis technique, there are still ways that the malware authors can get around this.

Many dynamic analysis utilities have common characteristics that can be identified by querying the user’s system information. Malware such as the macro-based Donoff family first queries to see if the computer name is “Host”. It will also attempt to identify whether common analysis tools such as Wireshark, ProcMon, or Suricata are running. If these tools are identified as a current running processes, the infection halts, IOCs are not obtained, and detection is successfully avoided.

This is important to know because most common email inspection/filtering applications utilize sandboxing techniques to analyze incoming documents and files. If their simple analysis fails to detect a threat in an email or attachment, the email gets delivered to the end user with the email system’s stamp of approval. The unsuspecting user will then go on to download and open the undetected malicious attachment, which will then prompt the user to enable macros in order to view the document. Once macros are enabled - boom, the computer is now infected with malware like Dridex, CryptXXX, or some other malicious payload.

CylancePROTECT and its new macro inspection technology can help protect your enterprise against these threats. And while we can tell you how great our product is and how it will protect every endpoint in your enterprise, we’d rather show you.

You can start by watching this short video put together by our research team showing CylancePROTECT versus macro-based malware families. You can also test it for yourself with a proof of concept (PoC) in your environment.  

Believe the math!!

Convinced that the next generation of endpoint security is right for your organization?  Contact a Cylance expert to get started!