The sandbox, last line of defense for many networks, isn’t what it used to be. In our talk, we show how attackers can bypass sandbox security, inserting malicious code on servers without getting flagged, by taking advantage of basic rules of how VBA (Visual Basic for Applications) macros and sandboxes operate. If once a sandbox could “arrest” a VBA macro based on its anomalous structure or attempted activity, the method we demonstrate shows how attackers can hide their capabilities and change their actions to evade detection by sandboxes.
The trick is in taking advantage of VBA’s support of referencing methods from another remote VBA project, and principles of sandbox security, which let files do whatever they were programmed to do without impediment or limitation, in a supervised environment. In our presentation, we demonstrate how malicious actors might take advantage of these principles to carry out attacks:
How does the attacker guarantees shipping a benign file for sandbox environments and a malicious file for a user environment without applying any sandbox evasion tricks? How do commercial sandboxes react to this technique? All this and more will be answered in this presentation.