Malware analysts typically test unverified programs in isolated environments like sandboxes or virtual machines (VMs). Similar to this, security software frequently makes use of these settings to run potentially harmful programs for dynamic malware analysis prior to permitting it to enter the organization's network. The TTPs (Tactic, Technique, and Procedures) employed by the malware and its IOCs (Indicators of Compromise) are discovered as a result of malware analysis. To find the malware, TTPs and IOCs are employed.
Adversaries employ a variety of "Anti-Sandbox" or "Anti-VM" techniques to circumvent virtual machine and sandbox environments. These strategies typically include looking for indicators of these settings' typical traits. These features could include certain traits or features of the victim system (such as a particular MAC address of a VM vendor) and the absence of typical artifacts produced by ordinary system users (e.g., an empty browser history).
Sub-technique 1: T1497.001 System Checks
The purpose of virtual machine (VM) software is to mimic the capabilities of physical hardware. But VM software produces artifacts that reveal it is a virtual computer rather than a physical one. Attackers take advantage of this virtual machine software's design fault and program malware to scan the system for these indicators.
In a malware analysis environment, security controls and malware analysts typically use a number of virtual computers. This is because they require virtual machines (VMs) running various software and operating system versions. Costs rise when these VMs are given considerable resources, including memory, storage, and computing power. Because of this, analysts might build virtual machines with scarcer resources than actual ones. The following system resources are checked by adversaries who utilize this practice to gain understanding of the virtual machine environment.
"Anyone who thinks that security products alone offer true security is settling for the illusion of security." -Kevin Mitnick
Sub-technique 2: T1497.003 Time Based Evasion
The GetTickCount() function is widely used by malware developers to calculate uptime. When Windows starts, GetTickCount() starts keeping track. Using this function, malware may quickly ascertain the time since the computer booted up and collect a time value for each time stamp counter cycle.
Windows command-line tool Mshta.exe is used to run HTML Application (HTA) files. Without enforcing the strict security policy or user interface of the browser, HTAs contain all of Windows Internet Explorer’s features, including its object model and technology . As a consequence, attackers abuse mshta.exe to execute .hta files, VBScript,JavaScript and Jscript.
Adversaries postpone the execution of malicious actions in order to bypass sandbox or virtual machine environments, which are only active for a short time. They commonly employ the OS's built-in commands and functions to set a timer and go to sleep for delayed execution.
The execution of malware can be postponed by loops and other pointless repetitions of commands, like Pings, which may exceed the time constraints of automated analysis environments. The following command, for instance, was utilized by the REvil ransomware to delay execution.
Thank you for reading, take care. · Richard McGarry