Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Virtualization/Sandbox Evasion
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Virtualization/Sandbox Evasion
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Virtualization/Sandbox Evasion

ID Name
.001 System Checks
.002 User Activity Based Checks
.003 Time Based Evasion

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)

ID: T1497
Sub-techniques:  .001 .002 .003
Tactic(s): Defense Evasion, Discovery
Platforms: Linux, Windows, macOS
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Version: 1.4
Created: 17 Apr 2019
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
Bumblebee

Bumblebee has the ability to perform anti-virtualization checks.(Citation: Proofpoint Bumblebee April 2022)
Squirrelwaffle

Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
Raspberry Robin

Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.(Citation: TrendMicro RaspberryRobin 2022)
IcedID

IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.(Citation: Trendmicro_IcedID)
Lucifer

Lucifer can crash a debugger by passing a format string to OutputDebugStringA().(Citation: Unit 42 Lucifer June 2020)
Pteranodon

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.(Citation: Unit 42 Gamaredon February 2022)
Bisonal

Bisonal can check to determine if the compromised system is running on VMware.(Citation: Talos Bisonal Mar 2020)
Agent Tesla

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks.(Citation: Malwarebytes Agent Tesla April 2020)
Metamorfo

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.(Citation: Medium Metamorfo Apr 2020)

Black Basta

Black Basta can make a random number of calls to the `kernel32.beep` function to hinder log analysis.(Citation: Check Point Black Basta October 2022)
StoneDrill

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.(Citation: Kaspersky StoneDrill 2017)

RTM

RTM can detect if it is running within a sandbox or other virtualized analysis environment.(Citation: Unit42 Redaman January 2019)

StrelaStealer

StrelaStealer payloads have used control flow obfuscation techniques such as excessively long code blocks of mathematical instructions to defeat sandboxing and related analysis methods.(Citation: PaloAlto StrelaStealer 2024)(Citation: Fortgale StrelaStealer 2023)
Bazar

Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.(Citation: Cybereason Bazar July 2020)
XLoader

XLoader can utilize decoy command and control domains within the malware configuration to circumvent sandbox analysis.(Citation: ANY.RUN XLoader 2023)(Citation: CheckPoint XLoader 2022)
Carberp

Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.(Citation: ESET Carberp March 2012)
Egregor

Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.(Citation: Cyble Egregor Oct 2020)(Citation: NHS Digital Egregor Nov 2020)

CHOPSTICK

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.(Citation: FireEye APT28)
CozyCar

Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.(Citation: F-Secure CozyDuke)
Kevin

Kevin can sleep for a time interval between C2 communication attempts.(Citation: Kaspersky Lyceum October 2021)
Hancitor

Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.(Citation: FireEye Hancitor)
Gelsemium

Gelsemium can use junk code to generate random activity to obscure malware behavior.(Citation: ESET Gelsemium June 2021)
Darkhotel

Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)
Saint Bear

Saint Bear contains several anti-analysis and anti-virtualization checks.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Detection

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References

  1. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  2. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  3. Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
  4. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  5. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  6. Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.
  7. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  8. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  9. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  10. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  11. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  12. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  13. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  14. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  15. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  16. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  17. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  18. ANY.RUN. (2023, February 28). XLoader/FormBook: Encryption Analysis and Malware Decryption . Retrieved March 11, 2025.
  19. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  20. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  21. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  22. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  23. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  24. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  25. Alexey Bukhteyev & Raman Ladutska, Check Point Research. (2022, May 31). XLoader Botnet: Find Me If You Can. Retrieved March 11, 2025.
  26. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  27. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  28. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.
  29. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  30. Fortgale. (2023, September 18). StrelaStealer Malware Analysis. Retrieved December 31, 2024.
  31. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.