5 Sandbox Evasion Techniques and Tricks

January 7, 2021

Segmented off from the rest of the operating system, the sandbox is the place to poke, prod, and generally test suspicious incoming files in a relatively safe environment before allowing them to enter the rest of the system. 

Sandboxes provide one the most rudimentary forms of defense against file-borne malware. Like the security screening at an airport, the sandbox allows the defenders to investigate, observe, and determine if the file is safe enough to make it into the terminal and board the plane.

However, for many types of file-borne malware, the sandbox is not an effective method for identifying risky files. Hackers have found multiple creative ways to convince the sandbox that their malware files are benign—even when they aren’t.

Attackers are getting more skilled at using Environment Awareness techniques to determine if they are in a testing environment like a sandbox, virtualization, or other segmented space. They utilize tricks like keeping their malware inactive so that it can slip through the defenses.

Think of a wolf in sheep’s clothing so that it can sneak past the watchful eye of the shepherd. Then assume that the wolf has five other evasion tricks…and you get the idea.

Given the challenge of keeping their organizations safe, the key for Blue Teams is to know what sandbox evasion techniques are being used in the wild and adjust their defenses accordingly. We have compiled a list of five sandbox evasion techniques to watch out for.

System Checks Evasion

Most criminals prefer not to be observed while committing their crimes, and hackers are no different.

Some malware types will perform active system checks to assess whether or not they are in an analysis environment like a sandbox and adjust their behavior accordingly. They look for various artifacts of a sandbox like analysis tools.

If the environment is deemed to be too risky because they detect signs that they might be in a virtualization or sandbox environment, then they will disengage and try their luck another time. Some malware takes this exit strategy to the next level and will release a “test” payload before revealing its heavy weapons, preferring to burn its less valuable code rather than a more expensive tool that they can use at a later point.

CHOPSTICK is an example of a malware backdoor tool associated with Russia’s APT 28 that will stop from executing its payload if the sandbox analysis environment is detected. 

Time-Based Evasion

Security professionals are under constant pressure to ensure the best levels of protection without hampering productivity. One of their biggest constraints is the amount of time that an organization will tolerate their inbound files being held in quarantine before it needs to be released.

Hackers on the other hand have much less pressure, and can wait out the clock for the security tools of the sandbox to let their guard down before executing system compromise.

Time-based evasion works by the malware remaining dormant and disguised for longer periods of time. They may wait for native system scheduling functionalities or programmatic sleep commands to run before beginning their attack.

Examples in the wild, like the FatDuke malware that has been used by Russian APT 29 is capable of turning itself off and on, has proved to be effective in countering time-based detection. Simmeraly the GoldenSpy malware’s installer will wait for two hours before installing its malicious payload.   

Blinding the Monitor

Analyzing files for potential malicious content requires the sandbox to get up close and personal with in-guest monitoring. The entails adding code or hooks into the environment and observing how the file reacts.

In order to defeat the sandbox’s monitoring, the malware can flood the zone by overwhelming it with a sizable number of irrelevant/illegitimate API calls or direct system calls that essentially “blinds the monitor.” In this case, the malware is making so much noise that the analysis tools in the sandbox are unable to tell the difference between what is relevant and what is not.

Carberp is an example of a malware that has been used to remove hooks as a part of its sandbox evasion efforts.

Identifying Physical Markers

As security vendors have improved the capabilities of their software to be craftier at avoiding detection by malware, better disguising their sandboxes to appear as the real deal operating system, hackers have also evolved to look beyond the software to the hardware for clues that they are being observed.

In Francis Guibernau’s presentation at the USENIX Enigma 2020, one of the interesting techniques that he found for testing if his malware is in a virtual environment is looking for the physical elements that one would find in a piece of hardware.

He explains that the malware in his research looks to find evidence of factors like the temperature of the device, checking to see if it is above the normal operating temperature. If so, he says that it could point to a virtual environment consuming additional energy, thereby warning his malware to remain dormant.

Then there are the additional elements that his malware can look for, searching around for peripherals such as a mouse or keyboard that would not be present in the virtual space. It even looks for the additional CPU cores.

Another technique that is used is looking for IDs and addresses that are indicative of the virtualization. These include details like the processor and device IDs as well as the system name, which Guibernau says then runs those details against a blocklist of known virtualization vendors. For bonus points, his malware also ran checks of MAC addresses against his blocklist as an additional layer.

For those interested in a bit of experimentation and innovation, Guibernau’s talk is well worth a watch.

User Interaction

Bot detection has been a major topic of concern in recent years as companies look to identify what is or is not normal user behavior. Building on this concept, hackers look to see if the user interactions with their malware appear to be carried out by a human.

They look for normal user interactions. These can be actions like moving around and clicking a mouse or typing like a person would be expected to do. It can also look at the system that it is trying to infect to gain clues as to whether it is on a machine that is used by humans. The malware may look for browser history, a collection of files, and other bits of information that will help it to determine if it has made it through to a victim’s OS or if it is in a sandbox.

A well-known case that has been found to perform these checks is the Fin7 malware group that has caused considerable financial damage in recent years. According to reports, their malware looks to see if the user has double clicked to avoid being sent to the sandbox before activating its payload.

Staying a Step Ahead of Sandbox Evasion Techniques

In security, we are in a constant race to stay ahead of our adversaries. As new vulnerabilities are discovered or a malware file is updated to learn new tricks, defenders always need to be quick to find ways to defend their organizations.

For every innovation of the sandbox, there is a dedicated team of malicious developers out there working on ways to escape it and reach their intended target.

But not every aspect of security has to be a cat and mouse game. New technologies like Positive Selection™ technology are empowering organizations to eliminate threats from file-borne malware—without needing a sandbox at all.

Contact us today to learn more about steps that your organization can take to mitigate the threat of malware and ensure that every file that enters your inbox is safe to open.