sb-nz logo
Story image

Sandbox evasion malware used for cyber espionage, new study shows

Positive Technologies analysed 36 malware families containing sandbox detection and evasion capabilities that have been active in the last 10 years.

The company's findings show that 25% of that malware was active in 2019-2020, and that at least 23 APT groups around the world have used them in attacks.

As they traced the evolution of sandbox evasion and anti-analysis techniques, Positive Technologies experts observed that the same malware used different methods in different years to evade these tools.

Additionally, attackers would try to stack multiple techniques simultaneously.

If one method did not work and was thwarted by the sandbox, this malware would use other signs to determine whether it is running in a virtual environment and, if so, terminate itself to avoid discovery.

These techniques were most common in remote access tools (56% of the malware in question) and loaders (14%).

According to the analysis, the most common sandbox evasion techniques seen were Windows Management Instrumentation (WMI) queries (25% of malware), other environment checks (33%), and checking the list of running processes (19%).

Cyber espionage attacks have comprised 69% of the analysed malware.

Such attacks require staying invisible on the victim's system as long as possible, which is why malware developers look for ways to stealthily establish and maintain persistence, the analysts state. 

Malware developers often use obfuscation to frustrate attempts to analyse their code, the analysts state. As a result, it is increasingly difficult to perform static analysis of malicious files and match suspicious files with known signatures and hash sums.

Positive Technologies senior analyst Olga Zinenko explains, "This malware is used to perform reconnaissance and gather information about the target system.

"If attackers spot that the malware is running inside a virtual environment, such as a sandbox, they will not pursue this attack vector or download the payload. Instead, the malware goes dormant in order to maintain stealth."

Positive Technologies head of malware detection Alexey Vishnyakov says, “In recent years, malware developers have been trying especially hard to evade code analysers.

"Hackers do all they can to hide malicious functions from security researchers and avoid tripping any known indicators of compromise.

"Traditional defences may not be able to detect malicious programs. For detecting today's malware, we recommend analysing file behaviour in a secure sandbox environment.

"Using a sandbox enriches IOC databases and provides companies with information for improving cyber threat response.”

Positive Technologies creates solutions for information security. This includes products and services to detect, verify, and neutralise real-world business risks associated with corporate IT infrastructure.

Story image
WatchGuard uncovers top cyber threat trends of Q4 2020
“The rise in sophisticated, evasive threat tactics last quarter and throughout 2020 showcases how vital it is to implement layered, end-to-end security protections."More
Story image
Video: 10 Minute IT Jams - Who is Okta?
Okta is an identity and access management company, specialising in secure user authentication. It's an enterprise-grade identity management service, built for the cloud, but compatible with many on-premises applications.More
Story image
Addressing the challenges of least privilege access
Enforcing the right privilege policies across the environment with the right visibility and observability will ensure that the policy mandates hold tight against any behaviour changes.More
Story image
Infrastructure-as-code, and how it can secure the cloud
Bridgecrew recognised IaC early on as one of the best ways for modern teams to delegate security ownership to individual contributors while distributing it across existing frameworks within CI/CD pipelines. This attribute meant that IaC was invaluable in securing cloud-native environments.More
Story image
AvePoint brings Salesforce Cloud Backup to channel partners
The product adds to the AvePoint suite of trusted Cloud Backup for Microsoft 365 and Dynamics 365 to provide managed service providers with backup and restore capabilities across multiple, popular SaaS providers.More
Story image
rhipe acquires emt Distribution, with aim to expand into enterprise market
The acquisition will enable rhipe to deliver a comprehensive portfolio of end-to-end security capabilities to its partners, the company says.More