Monday, March 23, 2015
Some Macro-infecting malware is set to "run on close" and escape sandboxes
Malware writers of viruses that execute in Office macro code have tried a new technique, waiting for the Office document to close (that is, listening for a close event), before executing, as a way to evade anti-virus software or more savvy users. Security Week discusses this point with respect to “Dridex”, and especially Trojans implicated with attacks on bank accounts, article here.
Webroot tweeted the story Monday morning.
Proofpoint has a story on "Run on close macros" and how they interact with "sandboxes" (like those on Judge Judy).
But anti-malware software can be adjusted to listen for this kind of activity. But a scheduled scan, common on many PC’s, might not detect it while running.
It was also unclear if the malware is disabled when the computer is restarted, and if it limited to Windows environments.