Sandbox evasion malware used for cyber espionage, new study shows
Positive Technologies analysed 36 malware families containing sandbox detection and evasion capabilities that have been active in the last 10 years.
The company's findings show that 25% of that malware was active in 2019-2020, and that at least 23 APT groups around the world have used them in attacks.
As they traced the evolution of sandbox evasion and anti-analysis techniques, Positive Technologies experts observed that the same malware used different methods in different years to evade these tools.
Additionally, attackers would try to stack multiple techniques simultaneously.
If one method did not work and was thwarted by the sandbox, this malware would use other signs to determine whether it is running in a virtual environment and, if so, terminate itself to avoid discovery.
These techniques were most common in remote access tools (56% of the malware in question) and loaders (14%).
According to the analysis, the most common sandbox evasion techniques seen were Windows Management Instrumentation (WMI) queries (25% of malware), other environment checks (33%), and checking the list of running processes (19%).
Cyber espionage attacks have comprised 69% of the analysed malware.
Such attacks require staying invisible on the victim's system as long as possible, which is why malware developers look for ways to stealthily establish and maintain persistence, the analysts state.
Malware developers often use obfuscation to frustrate attempts to analyse their code, the analysts state. As a result, it is increasingly difficult to perform static analysis of malicious files and match suspicious files with known signatures and hash sums.
Positive Technologies senior analyst Olga Zinenko explains, "This malware is used to perform reconnaissance and gather information about the target system.
"If attackers spot that the malware is running inside a virtual environment, such as a sandbox, they will not pursue this attack vector or download the payload. Instead, the malware goes dormant in order to maintain stealth."
Positive Technologies head of malware detection Alexey Vishnyakov says, “In recent years, malware developers have been trying especially hard to evade code analysers.
"Hackers do all they can to hide malicious functions from security researchers and avoid tripping any known indicators of compromise.
"Traditional defences may not be able to detect malicious programs. For detecting today's malware, we recommend analysing file behaviour in a secure sandbox environment.
"Using a sandbox enriches IOC databases and provides companies with information for improving cyber threat response.
Positive Technologies creates solutions for information security. This includes products and services to detect, verify, and neutralise real-world business risks associated with corporate IT infrastructure.