Malware goes undetected by hiding malicious code in uncommon MS Access format
0/64 detections on VirusTotal as of 05.08.2024
The VMRay Labs team has uncovered a malware that goes completely undetected for weeks by hiding malicious p-code in MS Access’ uncommon ACCDE format.
Microsoft Access allows users to export their databases to a “protected” format (ACCDE), promising to keep macros hidden and unmodifiable. This sample abuses that feature to hide its malicious backdoor: a compiled VBA macro designed to drop and execute a malicious PE file stored in the database.
No detections on VirusTotal
0 of 63
In a nutshell:
Â
The ACCDE format is rarely abused by attackers:not a single ACCDE file uploaded to VirusTotal in the last 90 days has a malicious verdict.
Â
VBA macros were compiled to p-code and execodes, complicating static analysis, but dynamic analysis still reveals malicious behavior
Â
Dropped PE file (“MW-Black-Shell”, only 5/75 on VirusTotal) connects to C2 and keeps waiting for commands to execute
Â
The PE file is not stored in the macros but in a table in the database
Â
Schedules itself to be executed at specific times (e.g., daily at 9:30)
Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!