Virtualization/Sandbox Evasion

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]

Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.[2]

ID: T1497
Sub-techniques:  T1497.001, T1497.002, T1497.003
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Deloitte Threat Library Team; Sunny Neo
Version: 1.3
Created: 17 April 2019
Last Modified: 18 October 2021

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks.[3]

S0534 Bazar

Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.[4]

S0268 Bisonal

Bisonal can check to determine if the compromised system is running on VMware.[5]

S1070 Black Basta

Black Basta can make a random number of calls to the kernel32.beep function to hinder log analysis.[6]

S1039 Bumblebee

Bumblebee has the ability to perform anti-virtualization checks.[7]

S0484 Carberp

Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[8]

S0023 CHOPSTICK

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[9]

S0046 CozyCar

Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[10]

G0012 Darkhotel

Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.[11]

S0554 Egregor

Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.[12][13]

S0666 Gelsemium

Gelsemium can use junk code to generate random activity to obscure malware behavior.[14]

S0499 Hancitor

Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.[15]

S1020 Kevin

Kevin can sleep for a time interval between C2 communication attempts.[16]

S0455 Metamorfo

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[17]

C0005 Operation Spalax

During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.[18]

S0147 Pteranodon

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[19]

S0148 RTM

RTM can detect if it is running within a sandbox or other virtualized analysis environment.[20]

S1030 Squirrelwaffle

Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.[21][22]

S0380 StoneDrill

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[23]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

DS0009 Process OS API Execution

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Process Creation

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References