Thursday 4 October 09:30 - 10:00, Red room
Giulia Biagini (Microsoft)
Macro malware made a come-back around mid-2014, since when it has constantly been leveraged to carry out malicious attack campaigns. On the one hand, social engineering is extremely effective at luring users into enabling the macro execution. Meanwhile, obfuscation allows attackers to craft documents that are difficult to detect generically and that can easily evade static signatures.
This talk aims at showcasing the new AMSI support for Office that allows the logging and scanning of macro activity. First, the VBA engine instruments the execution of the macro code by recording the calls to Win32 APIs and to COM methods to a simple textual log; second, AMSI is leveraged to invoke the anti-virus and request a scan of the log whenever any dangerous API or COM method is about to be executed. The anti-virus response determines whether the macro execution can continue or whether it must safely be terminated, to prevent any damage.
The dynamic nature of this solution is designed to avoid all the pitfalls of static scanning, and to provide a powerful means of bypassing code obfuscation completely: the instrumentation can tap into APIs and COM methods being invoked at run-time, hence it has visibility of the names of the objects, functions and parameters involved in the call, even if they don’t appear in the macro source code because they are obfuscated.
In the final part of the presentation, I will explain how the instrumentation works, and I will show examples of how complex, obfuscated macro malware produces neat and tidy logs that are very suitable for writing generic signatures.
Giulia is a security software engineer at the Microsoft Threat Intelligence Center. Her focus is on the design and development of automated monitoring tools with the purpose of detecting malicious behaviours. She works primarily in the context of Office365 ATP. In the past year she has also expanded her focus by contributing to the development of Sysmon and improving the security of the Office suite. She comes from a background in maths, in which she holds a B.Sc. degree from the University of Genoa, and prior to joining Microsoft she obtained an M.Sc. in security and forensics from Dublin City University. Her favourite hobbies are travelling and jogging.
John Lambert (Microsoft)
Patrick Wardle (Digita Security)
Jaeki Kim (Financial Security Institute)
Kyoung-Ju Kwak (Financial Security Institute)
Min-Chang Jang (Financial Security Institute)