How can Advanced Sandboxing Techniques Thwart Elusive Malware?
by Moony Li and Jerry Liu (Trend Micro Engineer-Developers)
Sandboxes are mechanisms many traditional security solutions often employ as part of an endpoint or network’s last lines of defense. Like what its namesake says, sandboxes are where malware or suspicious files are given the controlled, virtualized environment to play around in (read: execute their routines). Their observed behaviors are then analyzed; sandboxes typically use patterns of existing behaviors and routines to determine if the files are malicious or not. They can help ensure an endpoint’s security, isolating untrusted files that could’ve otherwise caused damage to the system’s actual infrastructure.
But what if the malware happens to find a gap through which it can escape the sandbox? What if it’s self-aware, capable of knowing it’s in a sandbox? What if it pretends to be benign, to prevent rousing suspicion?
Here is a rundown of notable malware and their modus operandi of eluding traditional security technologies, how they take the path of least resistance, and how they can be addressed with advanced sandboxing techniques:
Notable Sandbox-evading Malware
The evolution of Locky ransomware (detected by Trend Micro as RANSOM_LOCKY family) is a classic example. It is notorious for using a variety of methods to infect systems—as an encrypted DLL, Windows Script File, and socially-engineered attachments in spam emails (documents embedded with malicious macro, .RAR, JavaScript, and VBScript), or through exploit kits like those that integrated a previous Flash zero-day.
In 2016, Locky's use of kernel exploits made it notable. The middleman in the attack chain is a downloader Trojan (TROJ_LOCKY.DLDRA) that exploits a local privilege escalation flaw (CVE-2015-1701, patched May 12, 2015) and masquerades as a system process to avoid sandbox detection. By exploiting the security flaw, attackers can leverage mechanisms in the vulnerable system’s kernel (work-items, system threads, and asynchronous procedure calls) to connect to a command and control server (C&C) in order to download the ransomware. In effect, the malware can be installed without creating files on the affected machine. This technique is often employed on top of a then-zero-day attack (CVE-2016-1019, patched April 5, 2016) uncovered in the Magnitude exploit kit.
Newer families of ransomware were also progressively designed to be aware if they’re running on a virtual machine (VM) or similar ecosystems like a sandbox. Variants of Locky, for instance, use malicious, obfuscated layers of JavaScript to download and execute packed DLLs containing anti-VM and environment detection codes. KeRanger (OSX_KERANGER), found in modified file-sharing applications and malicious Mach-O files, is coded to sleep for three days within the affected system before executing its encryption routine.
Shamoon/Disttrack (WORM_DISTTRACK family), whose emergence dated as far back as 2012, is typically used in targeted attacks mainly against high-profile organizations in the Middle East. It wipes the system’s Master Boot Record (MBR), and renders endpoints and servers connected to the targeted organization’s domain unbootable. Upon its reemergence in December 2016, Shamoon sported a sandbox-evading technique—including a logic bomb within its code. It activates and drops its malicious components at a certain date and time, which are hardcoded within the malware.
Sandbox Evasion via Fileless Malware
For fileless infection, less is more. How? These kinds of attacks don’t involve actual files, or even downloading and writing one to a computer’s disk. Malicious payloads are typically executed in the system’s memory. The lack of actual files to analyze significantly reduces an attack’s footprint, especially against traditional sandboxes.
By following the path of least resistance—in this case the system’s memory or registry—fileless attacks are increasingly becoming a staple technique for cybercriminals. Threats such as various iterations of enterprise-targeting Trojans and point-of-sale (PoS) malware have been delivered this way. Cyberespionage malware Duqu 2.0, for instance, was noted for its use of malicious modules executed within the infected system’s memory. Its attack chain entailed the abuse of a penetration testing tool (Metasploit) to steal an affected computer’s system password from memory, in order to escalate their privileges in the system.
Fileless attacks are also known to use scripts and system utilities as attack vectors. VBA script (Visual Basic for Applications), along with JavaScript (.JS), and the occasional HTML Application (.HTA), Publisher (.PUB), and Compiled HTML (.CHM) files, is commonly used in fileless attacks. System utilities like PowerShell, Command Prompt, and .Net Framework are also abused and leveraged.
Here is how different kinds of fileless attacks (executed in memory) are employed depending on the bad guy’s evasion tactic, and how traditional sandboxes typically work:
Evasion Tactic | Fileless Attacks |
How Traditional Sandbox Works | ||
Bypass file scanning | No file involved | Scan files on demand | ||
Interfere with behavior correlation | Use Script or cmd under the guise of a system process | System API-level hook | ||
Bypass sandbox | Time delay (i.e. creating a scheduled task) | Monitor within a restricted time | ||
Anti-forensics | Infection traces in memory is volatile |
An Advanced, Custom Sandbox
As sandbox-evading techniques in malware become more common, it is equally important that sandboxes can be customized in a way that can reflect a system’s actual environment (including software configurations) as accurately as possible. This helps better simulate how certain suspicious files, such as kernel exploits, can affect the system. A sandbox capable of analyzing the multifaceted behaviors and routines in a malware—from scripts, shellcode, to payload—can help further identify obfuscation and evasion tactics that may be overlooked in a regular sandbox.
Anti-VM codes within malware are typically kept packed, and are only unpacked during execution. This can be mitigated by a sandbox capable of searching and verifying traces of code written to evade sandbox analysis at runtime.
Most sandboxes often only check system APIs (Application Program Interface), which can be bypassed by fileless attacks through the use and abuse of scripts and system utilities. These can be mitigated by a sandbox with high-level system monitoring, which checks for malicious communication beyond the machine’s system APIs.
Traditional sandboxes rely mostly on dynamic analysis—understanding how malware behaves within its environment by emulating and executing its binaries. Malware, like the CrypMIC (RANSOM_CRYPMIC) and Cerber (RANSOM_CERBER) ransomware, evade sandbox analysis by using CPUID-based instructions in order to check if it’s run on a virtual machine.
Trend Micro’s sandbox, which can be tailored to better match an actual system’s configurations, has more forensic capabilities by bridging dynamic analysis with the benefits of static analysis. Various components of a file are dissected and reverse-engineered, which helps achieve a better detection rate of a file’s malicious routines and behaviors. The time bomb within Shamoon, for instance, can be detected via static analysis by checking the date in the binary. Dynamic analysis of the payload can then identify its behaviors under certain systems. Another example would be the use of shellcode and abuse of Component Object Model (COM) to embed malicious commands within a process, which could’ve been missed by behavioral analysis.
Trend Micro’s custom sandbox integrated in Deep Discovery™ (via Deep Discovery Analyzer) as well as Deep Security™ and and OfficeScan™ can intercept APIs—protocols/routines that specify how software components communicate—and check for code strings meant to execute a malware’s evasion technique. It can dynamically trace, control, and analyze the semantics of these instructions in order to find the evasion logic within them. These instructions can be further enumerated into possible program execution paths. Each can then be analyzed for suspicious or malicious behavior, including one that commands the malware to sleep for a duration of time before executing.
Indeed, today’s threat landscape is like an arms race. As cybersecurity evolves, so will cybercriminals. They are projected to further adapt and grow more seasoned, enabling themselves to sophisticate their tactics, techniques and procedures. Malware are weaponized with different tacks that can evade traditional security solutions. As we’ve seen in 2016, we’ve already seen a shift toward how they are deployed—stealthier behaviors, and bigger attack vectors, as well as exploit and infection chains. We also predict that these sandbox evasion techniques will broaden in malicious PE files (Portable Executable), but also for script files (.JS, .VBS, .VBA, PowerShell, etc.).
And while sandboxes can be particularly effective against unknown threats and zero-day exploits, a sandbox is not a silver bullet. It should be considered as something that complements a multilayered, cross-generational approach to securing the system—from the gateway and server to the network and its endpoints.Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.