Introduction
Cybercriminals today are finding innovative ways to evade detection by contemporary security tools, and modifying malware code is a common technique used to beat detection. Malware is used in various forms – ransomware, phishing, cyber espionage, botnets, and zero-day exploits, and continues to be the top attack vector among cyber criminals.
What is a sandbox? Sandbox is a virtual environment created by security analysts to get an overview of cyber threats. They prove to be a convenient way to execute malicious software in an isolated environment and observe it to study the Indicators of Compromise (IoCs), all to improve defense against various sorts of malicious activity.
This is done by creating behavioral signatures to be used in anti-malware systems. These systems can be virtual machines or physical machines (known as bare-metal sandboxes) that are isolated in order to contain the unwanted side effects of a potentially malicious code.
However, due to the vast number of software executables analyzed, virtual machines and other system emulators prove to be scalable platforms to create malware sandboxes.
What are sandbox evasion techniques?
Modern malware has capabilities for identifying and bypassing conventional detection systems, as well as hiding malicious activities if they know they’re being run in a sandbox.
When malware is discovered by a sandbox, signatures are created to describe the malware and its behavior, and these signatures are then spread throughout the anti-malware systems, reducing the number of victims the malware can affect.
To counter this, attackers are repeatedly improving their methods to detect sandboxes so that the malware doesn’t reveal its malicious behavior while under observation. Some of these methods/techniques are listed below:
Device-based evasion: one common method used by malware to detect a sandbox environment for ‘Red Pills,’ or static values is device-based evasion. Since many sandboxes run on virtual machines, malware often checks for virtual machine-specific system properties, such as system addresses, serial numbers, device drivers, and system modules. If there are discrepancies in the properties, the malware can easily detect the sandbox and evade detection.
However, advanced sandboxes try to overcome this by presenting realistic values for these properties. This makes it harder for malware to evade detection, but there’s still a chance that malware can slip through by analyzing runtime behaviors. For example, some code sequences behave differently on a bare-metal machine compared to an emulator.
Environment-based evasion: here the sandboxes use bare-metal devices instead of virtual machines or emulators. This eliminates the possibility of detecting emulation, but it doesn’t guarantee that the environment is prepared to look genuine. If a sandbox environment appears too immaculate, with little user activity, or hardware/software unrealistic values, malware can use this difference to evade detection and even determine the true age of the system.
User-based evasion: this is another evasion technique where the malware is used to detect user interaction. Unusual or lack of user interaction is often interpreted as a fictitious setup – i.e. the malware is interpreted to be operating in a sandbox. Common indicators that the malware might look for in terms of normal user interactions are scrolling time, scrolling activity, multiple mouse clicks, or even hints that the machine is being used by genuine operators through browsing history, system information, activity logs, etc.
Debugger evasion: debuggers are used by security teams to identify and analyze the execution of malware payloads. So now when the adversaries detect a debugger, they alter their malware to hide the core functions of the implant. Malware developers also use an anti-debugging mechanism to bypass code examination on the Windows operating system.
They may also search for debugger artifacts before executing additional payloads.
Timing-based evasion: although sandbox is a fast and effective way to detect malware, the analysis system can only spend limited time testing and running applications for malicious code.
The time-based evasion technique is playing with time (for example, delayed execution) that ensures that the payload is not launched when it is being analyzed.
The history of sandbox evasion
The concept of sandboxes originated more than two decades ago to help run malicious codes in isolated environments and understand the indicators of compromise without the fear of other systems being corrupted. That said, the history of evasion techniques invented to bypass these security environments originated around a similar time as well. The first malware that bypassed sandbox protection appeared in the 1980s.
The malware partially encrypted its own code, making the content unretrievable by security experts. Since then, the underground market for evasion technology has grown and cybercriminals have developed hundreds of evasion techniques, along with several malware families based on them.
Here’s a brief timeline of how evasion techniques grew to be more advanced from the 2000s to recently:
The limitations of sandbox malware analysis
While sandboxes have learned to detect most of the evasion techniques, the challenge often presents itself when new malware is introduced into the real-world or advanced malware that is designed to evade detection and intrude a network. Previously undetected code might not be flagged, unless organizations have a threat monitoring system in place to detect suspicious or anomalous activity in the network and alert the security teams.
Another problem with traditional sandbox environments is that they are not always effective in detecting exploits (zero-day exploits in particular) that have not been identified previously. This is primarily because the behaviour analysis of such exploits is complicated and hard to replicate in a controlled and isolated environment.
Sandbox malware analysis can also prove to be inadequate in analyzing malware behaviour due to time and resource constraints. This means that there is limited time to run malware software and complete the execution routine, all leading to incomplete malware analysis.
As threat actors constantly improve malware to beat detection techniques and may also use multiple methods concurrently, sandboxes should be well-adapting to these emerging challenges and should be designed to imitate a real-world environment (simulate interactions, add real environment, hardware artifacts, machine learning algorithms) as closely as possible. This will prevent malware developers from evading detection and help security teams to collect insights and IoCs.
How to defend against malware with advanced sandboxing?
As newer malware becomes hard to detect and robust in beating traditional security systems, a sandbox has become crucial to an organization’s security toolset. However, in-house sandbox solutions require time and resources to run in an independent testing environment. Also, when it comes to implementing a sandbox, organizations need a well-equipped sandbox to detect real-world threats and not just perform well in simulated situations.
An alternate and meticulous approach is to offload the sandbox security operations to security experts and deploy third-party solutions that offer malware detonation – from known malware to advanced malware with anti-evasion traits.
Group-IB Managed Extended Detection & Response (MXDR) offers a malware detonation platform, as one of its modules, that runs suspicious files and links in sandbox environments for extensive analysis, threat detection, IoC extraction, and attack attribution. The behavioral analysis sandbox solution offers features designed to nab anti-sandbox code that can often bypass detection by legacy sandboxes.
Additionally, when it comes to securing your business email, which often serves as a no. 1 threat vector, the Business Email Protection (BEP) solution focuses on mitigating malware distributed by email through recursively analyzing suspicious URLs, attachments, and objects that can change state over time to discover hidden threats that other solutions miss.
Get in touch with our experts to know more about our next-gen solutions and gain security-building insights on choosing a sandbox and avoiding common testing mistakes.