There is a very clever and very subtle breed of macro malware that counts the number of documents on a computer and lies dormant until there are that many documents. The precise way that the malware worked and exactly how it was going undetected remained a mystery until researchers recently trapped and studied some of it. What made it even harder for the researchers to do so is that the malware is apparently so smart that it can tell when it’s being studied and can therefore remain almost undetectable at all.
There has to be two or more Word documents on a computer for the malware to do anything. If it invades the computer and there isn’t a number in this range, it automatically goes dormant. If there are, it downloads and installs the primary malware. This form of malware is typically delivered through spam or phishing campaigns. When accepted, this malware invades your RecentFiles, your recently viewed and/or created documents. After the aforementioned number of documents are discovered, a PowerShell script links to and downloads a keylogger.
It then uses the IP detection service, Maxmind, to discover which network the invade system uses. It runs a scan to see if the IP’s of its victims have been blacklisted by any security firms. If they have, this also automatically causes the malware to shut down. In fact, it is a malware that doesn’t take risk by automatically shutting down if it discovers that an IP address is connected in any way to a security vendor, some cloud services, or a sandbox environment. This specific breed of malware may be a new discovery, but researchers have seen other, more sophisticated malwares like it through the years.
But this is the first time a relatively unsophisticated breed of such intelligent, document-detecting malware has materialized. The experts on the subject say that this is not that surprising a development and that we can expect more of this in the future since malware authors are recognizing that it is definitely worth the time and money to make their products super intelligent like this. They predict that average, unsophisticated malware is going to be getting even more sophisticated than this. Experts and researchers predict that malware authors will be concentrating on mobile malware even more from this year forward.