Not child's play: 69 percent of malware with sandbox evasion capabilities used for cyberespionage

Threat actors combine sandbox evasion and anti-analysis methods in malware distribution

Positive Technologies has analyzed 36 malware families containing sandbox detection and evasion capabilities that have been active in the last 10 years. The company's findings show that 25 percent of that malware was active in 2019–2020, and that at least 23 APT groups around the world have used it in attacks. Additionally, 69 percent of the malware analyzed was used for espionage.

As they traced the evolution of sandbox evasion and anti-analysis techniques, Positive Technologies experts observed that the same malware used different methods in different years to evade these tools. Additionally, attackers would try to stack multiple techniques simultaneously. If one method did not work and was thwarted by the sandbox, this malware would use other signs to determine whether it is running in a virtual environment and, if so, terminate itself to avoid discovery.

These techniques were most common in remote access tools (56% of the malware in question) and loaders (14%). Olga Zinenko, Positive Technologies senior analyst, explained: "This malware is used to perform reconnaissance and gather information about the target system. If attackers spot that the malware is running inside a virtual environment, such as a sandbox, they will not pursue this attack vector or download the payload. Instead, the malware goes dormant in order to maintain stealth."

Of the studied malware, 25 percent was active in the 2019–2020 period. In 2018–2019, the number of sandbox-evading malicious programs increased. However, this is likely because security experts are now performing more investigations of malware samples.

The most common sandbox evasion techniques seen were WMI queries 1 (25% of malware), other environment checks (33%), and checking the list of running processes (19%). Cyber espionage attacks have comprised 69 percent of the analyzed malware. Such attacks require staying invisible on the victim's system as long as possible, which is why malware developers look for ways to stealthily establish and maintain persistence.

Malware developers often use obfuscation to frustrate attempts to analyze their code. As a result, it is increasingly difficult to perform static analysis of malicious files and match suspicious files with known signatures and hash sums.

Alexey Vishnyakov, Head of Malware Detection at Positive Technologies, said: "In recent years, malware developers have been trying especially hard to evade code analyzers. Hackers do all they can to hide malicious functions from security researchers and avoid tripping any known indicators of compromise. Traditional defenses may not be able to detect malicious programs. For detecting today's malware, we recommend analyzing file behavior in a secure sandbox environment. Using a sandbox enriches IOC databases and provides companies with information for improving cyber threat response."

  1. Windows Management Instrumentation (WMI) queries are used to access devices, accounts, services, processes, network interfaces, and other programs.