Virtualization/Sandbox Evasion: System Checks
Other sub-techniques of Virtualization/Sandbox Evasion (3)
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)
Procedure Examples |
|
Name | Description |
---|---|
QakBot |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.(Citation: Trend Micro Qakbot May 2020)(Citation: ATT QakBot April 2021) |
Denis |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.(Citation: Cybereason Cobalt Kitty 2017) |
SodaMaster |
SodaMaster can check for the presence of the Registry key |
Okrum |
Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.(Citation: ESET Okrum July 2019) |
InvisiMole |
InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020) |
Evilnum |
Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. (Citation: ESET EvilNum July 2020) |
Dyre |
Dyre can detect sandbox analysis environments by inspecting the process list and Registry.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015) |
Attor |
Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.(Citation: ESET Attor Oct 2019) |
Bumblebee |
Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.(Citation: Medium Ali Salem Bumblebee April 2022) |
FinFisher |
FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.(Citation: Microsoft FinFisher March 2018) |
Astaroth |
Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020) |
Frankenstein |
Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019) |
SynAck |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018) |
MegaCortex |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.(Citation: IBM MegaCortex) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has variants that check a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as |
macOS.OSAMiner |
macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores.(Citation: SentinelLabs reversing run-only applescripts 2021) |
Smoke Loader |
Smoke Loader scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018) |
GuLoader |
GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
EvilBunny |
EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.(Citation: Cyphort EvilBunny Dec 2014) |
yty |
yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. (Citation: ASERT Donot March 2018) |
Lucifer |
Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.(Citation: Unit 42 Lucifer June 2020) |
GravityRAT |
GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. (Citation: Talos GravityRAT) |
BadPatch |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. (Citation: Unit 42 BadPatch Oct 2017) |
PoetRAT |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.(Citation: Talos PoetRAT April 2020) |
WastedLocker |
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.(Citation: NCC Group WastedLocker June 2020) |
OopsIE |
OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query |
UBoatRAT |
UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.(Citation: PaloAlto UBoatRAT Nov 2017) |
WhisperGate |
WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.(Citation: Unit 42 WhisperGate January 2022) |
Saint Bot |
Saint Bot has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Darkhotel |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
PlugX |
PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".(Citation: Unit42 PlugX June 2017) |
Shark |
Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.(Citation: ClearSky Siamesekitten August 2021) |
Pupy |
Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.(Citation: GitHub Pupy) |
P8RAT |
P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.(Citation: Securelist APT10 March 2021) |
Grandoreiro |
Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
ROKRAT |
ROKRAT can check for VMware-related files and DLLs related to sandboxes.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021) |
Remcos |
Remcos searches for Sandboxie and VMware on the system.(Citation: Talos Remcos Aug 2018) |
During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.(Citation: Talos Frankenstein June 2019) |
|
RogueRobin |
RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
ObliqueRAT |
ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.(Citation: Talos Oblique RAT March 2021) |
NativeZone |
NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.(Citation: MSTIC Nobelium Toolset May 2021) |
Trojan.Karagany |
Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.(Citation: Secureworks Karagany July 2019) |
BLUELIGHT |
BLUELIGHT can check to see if the infected machine has VM tools running.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Ferocious |
Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function |
SUNBURST |
SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.(Citation: Microsoft Analyzing Solorigate Dec 2020) |
Lazarus Group |
Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.(Citation: ClearSky Lazarus Aug 2020) |
GoldMax |
GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to |
CSPY Downloader |
CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.(Citation: Cybereason Kimsuky November 2020) |
OilRig |
OilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021) |
Detection
Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.
References
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.
- Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021.
- Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
- Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
- Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
- Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
- Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.