Preventing Evasion Techniques in Excel Files with Deep CDR

98% of malware threats are equipped with evasion technology and becoming a real problem for cybersecurity.(1) Along with defeating signature-based and behavior-based detection tools, cybercriminals utilize many sophisticated evasion tactics to mitigate detection. In this blog-post, we explore two methods used by threat actors to bypass antivirus (AV) software.

Let’s take this malware sample for example. This file contains a macro which is used to download a stenography file and decode it in order to extract a malicious payload. Scanning it with multiple AV engines on MetaDefender Cloud, 18 of 40 AV engines detected the threat.

VelvetSweatshop password

The "VelvetSweatshop" default password is an 8-years-old vulnerability that was first introduced in 2012. Recently, it was used to spread LimeRAT malware. (2) Cybercriminals chose this tactic because Microsoft Excel has capability to use the embedded, default password VelvetSweatshop to decrypt a file, open it in read-only mode without a password requirement, and simultaneously run on-board macros.(3)

By encrypting the sample file with the VelvetSweatshop password, some anti-virus scanning engines were thwarted from detecting the malicious code. Only 15 of the 40 AVs found the threat.

Password-protected Macro

Just like password-protecting a worksheet, Microsoft Excel enables users to lock a macro in Excel against viewing. However, this feature does not encrypt the macros.

When we used this feature to hide the sample malware macro, this also made some AVs’ detection less effective. Three AV engines, which successfully detected the malware sample, could not see the threat when the macro was password-protected.

What happens if we combine the two tactics?

When applying both the VelvetSweatshop Password and the Password-protected Macro feature to help the malicious sample bypass detection, we witnessed a significant decrease in the scanning result. Only 13 of the 40 AV engines were able to detect the threat.

What is the solution to prevent malware evasion techniques?

Threat actors always look for new techniques to hide their malicious files from antivirus systems. One of best practices to defeat evasive malware is disabling all potentially malicious objects in files transferred into your system. Even a harmless macro can become a vulnerability later.

OPSWAT Deep Content Disarm and Reconstruction (Deep CDR) removes all embedded active content in files (including macros, OLE objects, hyperlinks, etc.) and reconstructs the files with only legitimate components. Additionally, Deep CDR enables you to investigate password-protected macro without knowing the password. Therefore, this OPSWAT industry-leading technology is highly effective for preventing both known and unknown threats, including zero-day targeted attacks and advanced evasive malware.

After having the sample sanitized by Deep CDR, we now have a threat-free file with full functionality.


If macros are required for your business operation, it is important to simultaneously scan your files with multiple AVs to increase the chances of threat detection. OPSWAT pioneered the concept of multiscanning files with 30+ commercial anti-malware engines. Combining various analysis mechanisms and techniques, including Signatures, Heuristics, AI/ML, and Emulation, OPSWAT Multiscanning technology helps you maximize detection rates with a low Total Cost of Ownership (TCO).

Learn more about OPSWAT Deep CDR and Multiscanning or talk to an OPSWAT technical expert to discover the best security solution to prevent zero-day and advanced evasive malware


References:

(1) Stefnisson, Siggi. 2018. "Evasive Malware Now A Commodity". Securityweek.Com. https://www.securityweek.com/evasive-malware-now-commodity.

(2) Osborne, Charlie. 2020. "Limerat Malware Is Being Spread Through Velvetsweatshop Excel Encryption Technique". Zdnet. https://www.zdnet.com/article/limerat-malware-is-being-spread-through-velvetsweatshop-excel-encryption-technique/.

(3) Baccas, Paul. 2013. "When Is A Password Not A Password? When Excel Sees “Velvetsweatshop”". Naked Security. https://nakedsecurity.sophos.com/2013/04/11/password-excel-velvet-sweatshop/.


Sign up for Blog updates
Get information and insight from the leaders in advanced threat prevention.