Evolution of Malware Sandbox Evasion Tactics – A Retrospective Study

Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. One of the dominant categories of evasion is anti-sandbox detection, simply because today’s sandboxes are becoming the fastest and easiest way to have an overview of the threat. Many companies use these kinds of systems to detonate malicious files and URLs found, to obtain more indicators of compromise to extend their defenses and block other related malicious activity. Nowadays we understand security as a global process, and sandbox systems are part of this ecosystem, and that is why we must take care with the methods used by malware and how we can defeat it.

Historically, sandboxes had allowed researchers to visualize the behavior of malware accurately within a short period of time. As the technology evolved over the past few years, malware authors started producing malicious code that delves much deeper into the system to detect the sandboxing environment.

As sandboxes became more sophisticated and evolved to defeat the evasion techniques, we observed multiple strains of malware that dramatically changed their tactics to remain a step ahead. In the following sections, we look back on some of the most prevalent sandbox evasion techniques used by malware authors over the past few years and validate the fact that malware families extended their code in parallel to introducing more stealthier techniques.

The following diagram shows one of the most prevalent sandbox evasion tricks we will discuss in this blog, although many others exist.

 

Delaying Execution

Initially, several strains of malware were observed using timing-based evasion techniques [latent execution], which primarily boiled down to delaying the execution of the malicious code for a period using known Windows APIs like NtDelayExecution, CreateWaitTableTImer, SetTimer and others. These techniques remained popular until sandboxes started identifying and mitigating them.

GetTickCount

As sandboxes identified malware and attempted to defeat it by accelerating code execution, it resorted to using acceleration checks using multiple methods. One of those methods, used by multiple malware families including Win32/Kovter, was using Windows API GetTickCount followed by a code to check if the expected time had elapsed. However, we observed several variations of this method across malware families.

 

This anti-evasion technique could be easily bypassed by the sandbox vendors simply creating a snapshot with more than 20 minutes to have the machine running for more time.

API Flooding

Another approach that subsequently became more prevalent, observed with Win32/Cutwail malware, is calling the garbage API in the loop to introduce the delay, dubbed API flooding. Below is the code from the malware that shows this method.

 

 

Inline Code

We observed how this code resulted in a DOS condition since sandboxes could not handle it well enough. On the other hand, this sort of behavior is not too difficult to detect by more involved sandboxes. As they became more capable of handling the API based stalling code, yet another strategy to achieve a similar objective was to introduce inline assembly code that waited for more than 5 minutes before executing the hostile code. We found this technique in use as well.

 

Sandboxes are now much more capable and armed with code instrumentation and full system emulation capabilities to identify and report the stalling code. This turned out to be a simplistic approach which could sidestep most of the advanced sandboxes. In our observation, the following depicts the growth of the popular timing-based evasion techniques used by malware over the past few years.

 

Hardware Detection

Another category of evasion tactic widely adopted by malware was fingerprinting the hardware, specifically a check on the total physical memory size, available HD size / type and available CPU cores.

These methods became prominent in malware families like Win32/Phorpiex, Win32/Comrerop, Win32/Simda and multiple other prevalent ones. Based on our tracking of their variants, we noticed Windows API DeviceIoControl() was primarily used with specific Control Codes to retrieve the information on Storage type and Storage Size.

Ransomware and cryptocurrency mining malware were found to be checking for total available physical memory using a known GlobalMemoryStatusEx () trick. A similar check is shown below.

Storage Size check:

 

Illustrated below is an example API interception code implemented in the sandbox that can manipulate the returned storage size.

 

Subsequently, a Windows Management Instrumentation (WMI) based approach became more favored since these calls could not be easily intercepted by the existing sandboxes.

 

 

 

 

 

Here is our observed growth path in the tracked malware families with respect to the Storage type and size checks.

 

CPU Temperature Check

Malware authors are always adding new and interesting methods to bypass sandbox systems. Another check that is quite interesting involves checking the temperature of the processor in execution.

A code sample where we saw this in the wild is:

 

The check is executed through a WMI call in the system. This is interesting as the VM systems will never return a result after this call.

CPU Count

Popular malware families like Win32/Dyreza were seen using the CPU core count as an evasion strategy. Several malware families were initially found using a trivial API based route, as outlined earlier. However, most malware families later resorted to WMI and stealthier PEB access-based methods.

Any evasion code in the malware that does not rely on APIs is challenging to identify in the sandboxing environment and malware authors look to use it more often. Below is a similar check introduced in the earlier strains of malware.

 

There are number of ways to get the CPU core count, though the stealthier way was to access the PEB, which can be achieved by introducing inline assembly code or by using the intrinsic functions.

 

 

 

One of the relatively newer techniques to get the CPU core count has been outlined in a blog, here. However, in our observations of the malware using CPU core count to evade automated analysis systems, the following became adopted in the outlined sequence.

 

User Interaction

Another class of infamous techniques malware authors used extensively to circumvent the sandboxing environment was to exploit the fact that automated analysis systems are never manually interacted with by humans. Conventional sandboxes were never designed to emulate user behavior and malware was coded with the ability to determine the discrepancy between the automated and the real systems. Initially, multiple malware families were found to be monitoring for Windows events and halting the execution until they were generated.

Below is a snapshot from a Win32/Gataka variant using GetForeGroundWindow and checking if another call to the same API changes the Windows handle. The same technique was found in Locky ransomware variants.

 

Below is another snapshot from the Win32/Sazoora malware, checking for mouse movements, which became a technique widely used by several other families.

 

Malware campaigns were also found deploying a range of techniques to check historical interactions with the infected system. One such campaign, delivering the Dridex malware, extensively used the Auto Execution macro that triggered only when the document was closed. Below is a snapshot of the VB code from one such campaign.

 

The same malware campaign was also found introducing Registry key checks in the code for MRU (Most Recently Used) files to validate historical interactions with the infected machine. Variations in this approach were found doing the same check programmatically as well.

 

MRU check using Registry key: \HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\User MRU

 

 

Programmatic version of the above check:

Here is our depiction of how these approaches gained adoption among evasive malware.

 

Environment Detection

Another technique used by malware is to fingerprint the target environment, thus exploiting the misconfiguration of the sandbox. At the beginning, tricks such as Red Pill techniques were enough to detect the virtual environment, until sandboxes started to harden their architecture. Malware authors then used new techniques, such as checking the hostname against common sandbox names or the registry to verify the programs installed; a very small number of programs might indicate a fake machine. Other techniques, such as checking the filename to detect if a hash or a keyword (such as malware) is used, have also been implemented as has detecting running processes to spot potential monitoring tools and checking the network address to detect blacklisted ones, such as AV vendors.

Locky and Dridex were using tricks such as detecting the network.

 

 

 

 

 

Using Evasion Techniques in the Delivery Process

In the past few years we have observed how the use of sandbox detection and evasion techniques have been increasingly implemented in the delivery mechanism to make detection and analysis harder. Attackers are increasingly likely to add a layer of protection in their infection vectors to avoid burning their payloads. Thus, it is common to find evasion techniques in malicious Word and other weaponized documents.

McAfee Advanced Threat Defense

McAfee Advanced Threat Defense (ATD) is a sandboxing solution which replicates the sample under analysis in a controlled environment, performing malware detection through advanced Static and Dynamic behavioral analysis. As a sandboxing solution it defeats evasion techniques seen in many of the adversaries. McAfee’s sandboxing technology is armed with multiple advanced capabilities that complement each other to bypass the evasion techniques attempted to the check the presence of virtualized infrastructure, and mimics sandbox environments to behave as real physical machines. The evasion techniques described in this paper, where adversaries widely employ the code or behavior to evade from detection, are bypassed by McAfee Advanced Threat Defense sandbox which includes:

• Usage of windows API’s to delay the execution of sample, hard disk size, CPU core numbers and other environment information .
• Methods to identify the human interaction through mouse clicks , keyboard strokes , Interactive Message boxes.
• Retrieval of hardware information like hard disk size , CPU numbers, hardware vendor check through registry artifacts.
• System up time to identify the duration of system alive state.
• Check for color bit and resolution of Windows .
• Recent documents and files used.

In addition to this, McAfee Advanced Threat Defense is equipped with smart static analysis engines as well as machine-learning based algorithms that play a significant detection role when samples detect the virtualized environment and exit without exhibiting malware behavior. One of McAfee’s flagship capability, the Family Classification Engine, works on assembly level and provides significant traces once a sample is loaded in memory, even though the sandbox detonation is not completed, resulting in enhanced detection for our customers.

Conclusion

Traditional sandboxing environments were built by running virtual machines over one of the available virtualization solutions (VMware, VirtualBox, KVM, Xen) which leaves huge gaps for evasive malware to exploit.

Malware authors continue to improve their creations by adding new techniques to bypass security solutions and evasion techniques remain a powerful means of detecting a sandbox. As technologies improve, so also do malware techniques.

Sandboxing systems are now equipped with advanced instrumentation and emulation capabilities which can detect most of these techniques. However, we believe the next step in sandboxing technology is going to be the bare metal analysis environment which can certainly defeat any form of evasive behavior, although common weaknesses will still be easy to detect.

Source: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
24 12 19

A Cybersecurity and Artificial Intelligence Forecast for 2020

So what can we expect for 2020? We’re going to keep our forecast in the realm of cybersecurity and AI this year, looking at both the threat landscape and the emergence of innovative defenses.

•    Malware developers already use a variety of techniques to evade sandboxes.
•    In 2020, we believe that new malware–using AI-models to evade sandboxes–will be born.
•    The focus of the global hacker community will shift to emphasize ransomware and cryptojacking.

Our focus is on using deep learning to advance the standards in malware detection (and we see a lot of good happening in that regard) so we bring a unique perspective to these two areas.

And not to brag, but when the question came up last year we provided a modest forecast that turned out to be fairly accurate. Here’s a quick recap:

-We said that AI would be a key component to the delivery and management of 5G wireless services, which is in-line with what the industry is now saying about its roll-out.

-Our bet was behind the emergence of AI-as-a-Service. It’s comforting to know that Microsoft CEO Satya Nadella agrees, and sees a $77 billion market by 2025, according to Motley Fool.

-Last year we predicted the emergence of more sophisticated learning techniques, advancing the capabilities and efficacy of machine learning and deep learning algorithms, and that has been happening.

-We’ll even take credit for our prediction that AI in all its forms would see greater commercialization and consumerization, even though that one was probably self-evident in hindsight. Development and improvement in products like smart assistants, smartphones, autonomous vehicles, medical devices and more will continue apace now that AI is mainstream.

So what can we expect for 2020? We’re going to keep our forecast in the realm of cybersecurity and AI this year, looking at both the threat landscape and the emergence of innovative defenses. Here are five trends we see developing in the new year.

Cybercrime will focus on ransomware and cryptojacking

The focus of the global hacker community will shift to emphasize ransomware and cryptojacking. Ransomware has proven to be a lucrative source of income for hackers, and as associated malware and delivery techniques become more effective, that is only going to embolden them. Most hackers launch attacks from locations beyond the reach of U.S. authorities, and they collect payments in the form of cryptocurrency to minimize the risk factor of their illicit endeavors. And as cryptocurrency becomes more mainstream, we foresee a sharp increase in attacks intended to hijack computing resources to power the computations necessary to “mine” coins. What we’re seeing in Blue Hexagon Labs research is that cryptojacking attacks appear to have an inverse relationship to ransomware attacks. This is likely driven by hacker motivations; as the value of cryptocurrency increases, it may be more lucrative (and easier) to focus on cryptojacking than ransomware.

Malware-as-a-Service becomes increasingly sophisticated

Criminal hackers are innovators and entrepreneurial (even if they are evil, self-centered, and destructive innovators and entrepreneurs). As such, they are keen on minimizing cost and risk, and one way they are doing that is by productizing their tools and skills. As a result, Malware-as-a-Service hacking groups are now selling kits and automated services on dark web marketplaces. In March of this year, we wrote about Gandcrab ransomware-as-a-service. We will see these services increase in sophistication in the coming year–for example, the ability to select customizations such as the type of obfuscation or evasion techniques, and the way the malware is delivered. This will make it easier for anyone to get in on the malware game, creating a force multiplier effect that will increase the number of threats enterprises will face in the years to come.

First malware using AI-Models to evade sandboxes will be born in 2020

Malware developers already use a variety of techniques to evade sandboxes. A recent article explained that “Cerber ransomware runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors.”

In 2020, we believe that new malware–using AI-models to evade sandboxes–will be born. This has already been investigated in academia. Instead of using rules to determine whether the “features” and “processes” indicate the sample is in a sandbox, malware authors will instead use AI, effectively creating malware that can more accurately analyze its environment to determine if it is running in a sandbox, making it more effective at evasion. As a result of these malware author innovations and existing limitations, the sandbox will become ineffective as a means to detect unknown malware.  Correspondingly, cybersecurity defenders’ adoption of AI-powered malware defenses will increase.

The rollout of 5G networks will bring new attack vectors

The infrastructure needed to roll out and manage new 5G networks requires a more complex, software-defined architecture than older communication networks. This new architecture means services will operate within a more complex environment with a broader attack surface that requires more security diligence on the part of the service providers. In addition, the advent of 5G networks will enable more endpoint devices that will require security at the network edge. Hackers, in particular, nation-state threat actors, will work hard to find and exploit weaknesses in this architecture to intercept traffic, disrupt services, and deliver payloads to endpoints and networks.

Privacy regulations drive more spending in cybersecurity

The European Union’s General Data Protection Regulation (GDPR) has inspired a number of privacy regulations, including the new California Consumer Privacy Act (CCPA). In the CCPA, California has created a combined privacy and breach disclosure law that goes into effect on January 1, 2020. The office of the California attorney general recommends NIST (800-53 or CSF) or ISO 27001 as their standards for implementation, and uses CIS Controls for security program guidance. That means an emphasis on malware detection and prevention, and with data breach violations reaching hundreds of millions of dollars in the EU and U.S., we predict CCPA and the recent history of enforcement will drive a significant increase in cybersecurity spending.

Even though the overall theme of these predictions suggests increasing threats and risks to the enterprise, we do see cause for optimism. Our experience with the application of deep learning to meet the challenges of threat detection and prevention give us hope that, as our efforts and those of other innovators continue and build momentum, we are confident that 2020 will be regarded as the year our industry finally turned the tide against hackers.

Source: https://www.globaltrademag.com/a-cybersecurity-and-artificial-intelligence-forecast-for-2020/
24 12 19

The Greatest Cybersecurity Threats Targeting Your Business in 2020

Cybersecurity threats are as inevitable as superhero movie sequels. But what do you do when you don’t have the Avengers to block cyberhackers from exploiting every vulnerability you didn’t even know about?

First, you can’t underestimate the threat. According to Ginny Rommetti, President and CEO of IBM, “Cybercrime, by definition, is the greatest threat to every profession, every industry, every company in the world.” Some estimates indicate that cybercrime will cost the world $6 trillion annually by 2021. Last year, Norton discovered that over 60 million Americans were targeted by cyberattacks.

The hard truth is that you and your business are at risk and making sure you aren’t exposed isn’t easy. While there are ample tools at your disposal to ensure your safety against what’s already known, preparation is the only way to handle the types of yet-to-be-defined problems that will hit millions of businesses in 2020 and beyond. We scoured all the data and published research forecasting emerging threats and discovered the five most dangerous trends to watch for next year.

1. Corrupting Government

With the 2020 US presidential elections only months away, the politically-targeted cyberattacks will continue in full force. This year alone had over 800 political cyberattacks, according to research provided by Microsoft in an interview with Rolling Stone. Though aimed at political parties, candidates, and the US government, attacks like these pose a serious threat to US residents—and we’re not just talking about the safety of their personal information and identity.

Foreign entities are attacking the US in a number of ways—many of which threaten the nation’s security offline. In 2019, North Korean hackers phished to find which countries were studying their nuclear efforts. Before that, an espionage group from Iran targeted US government infrastructures, according to the Center for Strategic and International Studies. The number of political cyberattacks to come in 2020 will likely make the 800 that happened this year seem insignificant.

2. Exposing Healthcare

The healthcare industry is a treasure trove of personal information and health data, making it one of the greatest gatekeepers of personal information. That means it is also a major target for cyberattacks. But criminals want way more than just your identity. In fact, a growing risk for 2020 is the theft of intellectual property such as the Chinese-state sponsored hackers who targeted US cancer institutes, according to CSIS.

What’s unusual about this is that some of those found to be hacking the healthcare industry are small bands of hackers, as opposed to large criminal organizations. Generally, personal information is the most valuable to small band hackers as it can be quickly sold for large sums. According to the healthcare analytics firm, Protenus, the number of exposed patient records has doubled from 15 million in 2018 to 32 million between January and June 2019.

3. Breaching Social

People are watching you on social. That is the purpose of social media after all. The trouble is, who is watching you and what type of information they’re looking for as well as how they can use that information for strategic cyberattacks. Social media has grown rapidly in the past decade, and with that, so has social media cybercrime. According to the Bromium report on Social Media and Cyber Crime, 20% of organizations are infected by malware from social media connections.

What makes social a gaping opportunity for cybercrime is that it can be used by hackers to act as a Trojan Horse. This creates a domino effect where a cybercriminal can infect an account or ad with malware that gets passed on to reach an entire user’s network, and those users’ networks. What’s more, hackers are becoming more advanced and are beginning to use social to not just hack individuals, but the companies that users work for, according to Fast Company. This means you could be exposing your employer to attacks or your employees could be unwittingly inviting these issues to your company.

4. Targeting New Tech

The much-anticipated rollout of 5G in 2020 holds the power to change the way we use the internet with faster-than-ever speeds, but it will also change the sheer volume of devices susceptible to cyberattacks, according to NeuShield. From increasing the risks involved with mobile banking to something as nonessential as virtual reality headsets, we will be surrounded by potential cyberthreats.

The reason 5G will make everyone more vulnerable to cyberattacks is that it enables such a diverse range of devices, making it difficult to create and provide security measures that can serve all. Mobile banking alone saw a 50% increase in cyberattacks from 2018 to 2019, according to Check Point’s “Cyber Attack Trends: 2019 Mid-Year Report,” and that number is likely to increase with the introduction of 5G.

5. Hacking Your Home

Smart homes are not always such a smart idea. While the technology was created to simplify our lives, devices like the Google Home and Amazon Echo are turning into smart spies. Your handy home assistant is prone to cyberattacks, enabling hackers to spy on users in their homes, according to an interview with Karsten Nohl, a chief scientist at Security Research Labs and the BBC News.

At-home safely also goes beyond smart home devices. Other tech tools and gadgets we use at home might feel like modern-day lifesavers, but many are putting our families at risk. It sounds great to get to turn off lights remotely or open your garage door from your phone, but these same technologies are highly susceptible to being hacked and in the process, both homes—and identities—are exposed.

Bottom Line – Emerging Cybersecurity Threats 2020

According to the National Cyber Security Alliance, 60% of small and midsized businesses that were hacked went out of business within six months of the assault. The reasons why are obvious with a 2019 study discovering that cyberattack incidents cost businesses of all sizes an average of $200,000. We conducted this analysis of the latest technologies to discover which pose the biggest cybersecurity threats in 2020 that have the power to affect the highest number of people.

Whether hackers are pursuing individuals, companies, or political systems, everyone is at-risk and when something happens millions are affected—directly or indirectly. While we can’t live in a bubble, the first step to protecting against cybercrime is awareness.

Source: https://fitsmallbusiness.com/cybersecurity-threats-targeting-your-business/
24 12 19