Latest Sandbox Evasion Techniques

Ramesh Dhanalakota, Mary Silviya

Microsoft

Agenda:

The cyber world has facing challenges with ever-evolving malwares which infiltrates all the defense mechanisms, and surreptitiously exfiltrate sensitive data, understanding the behavior of such malwares provides leisure to effectively combat them. Many antivirus companies, malware analysts and threat detection tools use malware sandboxes to analyze malware behavior without causing harm to the underlying hosts or sensitive data and preventing the malware from spreading across the network, The results of these malware actions/behavior are then recorded for subsequent study,

 In our research, we focus on the latest sandbox evasion techniques based on printf calls, WMI/Registry queries, Loaded DLLs etc. employed by some of the latest malwares such as wiper (which has seen targeting the 2021 Tokyo Olympic games), Maze, Tickbot, Snake etc. The history of evasion goes back to the 1980s, when a piece of malware partially encrypted its own code, rendering the content unreadable by security analysts. Since then, a dark market for the shelf evasion technology has developed and is exploited and utilized by the several contemporary malware families. Over the years most of the highly sophisticated malwares started altering their behavior once it detects that it is being executed on a sandbox environment, among them Context aware malwares was very famous and common, one classic example of context-aware malware was the Conficker worm, which has declined to infect Ukrainian machines.

We observed the malwares are stacked with multiple techniques simultaneously, if one technique did not work and thwarted by the sandbox, the malware would automatically use other indicators to determine if it is running in a virtual environment. These techniques were mostly commonly seen in remote access tools and loaders. These Advanced malwares, most often used by the APT groups, these malwares are engineered to evade detection for days or months and activating its malicious payload based on some predefined trigger.

We will also demonstrate some of these latest malwares such as Revil, Agent Tesla, Bazar malwares and their invasion techniques with a high-level Technical Details. our research would also elaborate how these malwares were evolved in the last 10 years.

Keywords:

Context-Aware, Anti-debugging, WMI, Registry, Wiper, Revil, Conficker, Agent Tesla