Virtualization/Sandbox Evasion

Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads.

Adversaries may use several methods including Security Software Discovery to accomplish Virtualization/Sandbox Evasion by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. [1]

Virtual Machine Environment Artifacts Discovery

Adversaries may use utilities such as Windows Management Instrumentation, PowerShell, Systeminfo, and the Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use Scripting to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function.

Example VME Artifacts in the Registry[2]

  • HKLM\SOFTWARE\Oracle\VirtualBox Guest Additions
  • HKLM\HARDWARE\Description\System\"SystemBiosVersion";"VMWARE"
  • HKLM\HARDWARE\ACPI\DSDT\BOX_

Example VME files and DLLs on the system[2]

  • WINDOWS\system32\drivers\vmmouse.sys
  • WINDOWS\system32\vboxhook.dll
  • Windows\system32\vboxdisp.dll

Common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.[2]

User Activity Discovery

Adversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.[3] Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro [4] and waiting for a user to double click on an embedded image to activate [5].

Virtual Hardware Fingerprinting Discovery

Adversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query $q = "Select * from Win32_Fan" Get-WmiObject -Query $q. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. [6]

ID: T1497

Tactic: Defense Evasion, Discovery

Platform:  Windows

Data Sources:  Process monitoring, Process command-line parameters

Defense Bypassed:  Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis

Contributors:  Sunny Neo

Version: 1.0

Examples

NameDescription
BadPatch

BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information.[7]

CHOPSTICK

CHOPSTICK checks for virtualization software.[8]

CozyCar

Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[9]

Dyre

Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[10]

FIN7

FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.[5]

FinFisher

FinFisher probes the system to check for sandbox/virtualized environments.[11][12]

GravityRAT

GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment.[13]

OopsIE

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[6]

PlugX

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".[14]

Pupy

Pupy has a module to check if its running on a virtual machine.[15]

Remcos

Remcos searches for Sandboxie and VMware on the system.[16]

RogueRobin

RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment.[17][18]

ROKRAT

ROKRAT checks for sandboxing libraries.[19]

Smoke Loader

Smoke Loader scans processes to perform anti-VM checks.[20]

SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[21][22]

UBoatRAT

UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[23]

yty

yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware.[24]

Mitigation

Mitigation of this technique with preventative controls may impact the adversary's decision process depending on what they're looking for, how they use the information, and what their objectives are. Since it may be difficult to mitigate all aspects of information that could be gathered, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

Detection

Virtualization, sandbox, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References