Nowadays, anti-malware applications widely use sandbox technology for detecting and preventing viruses. Unfortunately, criminals are developing new malware that can evade this technology. If such malware detects the signs of VM environment, it remains inactive until they are outside of the sandbox. Experts predicted that in 2018 we would see an increasing number of cyber attacks performed with sandbox-evading. However, the epidemic has actually started two years ago. Let's look at the most recent attacks that were successful because modern security solutions weren't able to detect sandbox-evading malware.
Since early March 2018, there have been cases of attacks performed with the RIG Exploit Kit that infects victims with a backdoor trojan called Grobios. This malware is packed with PECompact 2.xx that allows it to evade static detection. Though the unpacked file has no functions, it uses hashing to obfuscate the names of API functions it invokes. It also divides the PE header of the DLL files to match the name of a function to its hash. In addition, the trojan performs a series of checks to become aware of its environment. Particularly, it looks for virtual machine software, like Hyper-V or VMWare, a username with the words "malware", "sandbox", or "maltest", and compares the driver names with its blacklist of VM drivers.
This banking trojan attacks users mainly in Europe through spam sent via MailChimp since 2017. It steals the credentials of bank’s customers and manipulates their online sessions. Before installation, the malware uses a dropper to become aware of its environment. Thus, the dropper looks for specific names in the Windows Registry and virtual machine resources on disk. It also checks the device’s BIOS to discover whether there is a virtual machine client installation and examines the machine’s MAC address. If the dropper doesn't find any signs of the sandbox, the virus payload is executed and GootKit trojan carries out additional checks, like looking for hard drives, CPU names that confirm a physical machine, and virtual machine values.
3. ZeuS Panda
This is another banking trojan that uses environment-aware techniques to skip the sandbox. Its main goal is stealing user’s banking credentials and account numbers by implementing “man in the browser” attack. In order to infect a targeted computer, it changes the browser security settings and alarms. After loading, the trojan checks for indicators of the sandbox environment, like the presence of Sandboxie, ProcMon, SoftICE debugger, and other tools. In 2018, ZeuS Panda targeted banks in Japan, Latin America, the United States, as well as popular websites like YouTube, Facebook, and Amazon.
Heodo is a banking trojan that was first detected in 2016 and subsequently was used in a 2017 attack against the US bank clients. This malware infects victims through invoice emails from a known contact that contains an attached PDF file. After a user clicks on the attachment, the trojan is loaded. It uses a technology known as a crypter that allows the malware to hide from the sandbox environment. Heodo imbeds itself within the software that is already installed on the infected computes and makes mutated copies of itself on the infected system.
5. QakBot Trojan
A massive attack with the QakBot Trojan was detected in 2017 when the malware caused the lockouts of Active Directory users from their company's domain by stealing user credentials. This malware infects victims with a dropper that uses delayed execution to evade the sandbox. It loads to the targeted computer and waits for 10 to 15 minutes before its execution. While antivirus sandboxes analyze newly loaded files for a short period of time, the dropper remains undetected.
Locky is a classic example of environment aware malware that was released in 2016. It was spread during an email campaign that contained an infected Microsoft Word document. The document had a malicious macros that saved and run a binary file that downloads the encryption trojan. This malware easily bypasses the sandbox, as the virus execution begins with a user interaction, such as starting the macros, but the VM environment doesn't perform any interactions with the infected document.
How to withstand sandbox-evading malware
As you can see, hackers are applying different sandbox evasion techniques to make their viruses undetectable in the sandbox. After infecting the victimized computer, this malware tries to understand its environment by doing the following:
- looking for signs of virtual machine (ZeuS Panda)
- detecting system files (GootKit)
- waiting for user interactions (Locky, Kovter, Heodo)
- beginning its execution in a specified time (QakBot Trojan)
- obfuscating the system data (Grobios)
Sandbox technology is unable to detect environment-aware viruses and let them harm your computer. Thus, developers of security software should pay their attention to more progressive approaches of malware detection that are based on a customized sandbox environment, behavior analysis, machine learning, and others.
Sandbox-evading viruses are a new type of modern malware that can't be detected by traditional antivirus solutions. Computer users are now at a high risk to become a victim of cyber criminals as this malware is rapidly spreading across the Web. While users should follow the best cybersecurity practices, software developers should hurry up with the implementation of the latest technologies to improve their anti-malware solutions.