Virtualization/Sandbox Evasion: System Checks

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.[1]

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.[2] In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.[3]

ID: T1497.001
Sub-technique of:  T1497
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Deloitte Threat Library Team
Version: 2.1
Created: 06 March 2020
Last Modified: 18 October 2021

Procedure Examples

ID Name Description
S0373 Astaroth

Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.[4]

S1087 AsyncRAT

AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.[5]

S0438 Attor

Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.[6]

S0337 BadPatch

BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. [7]

S1070 Black Basta

Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.[8][9]

S0657 BLUELIGHT

BLUELIGHT can check to see if the infected machine has VM tools running.[10]

S1039 Bumblebee

Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.[11]

S0527 CSPY Downloader

CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.[12]

G0012 Darkhotel

Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with .Md5.exe, and if the program is executed from the root of the C:\ drive, as well as checks for sandbox-related libraries.[13][14]

S1066 DarkTortilla

DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.[15]

S0354 Denis

Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.[16]

S0024 Dyre

Dyre can detect sandbox analysis environments by inspecting the process list and Registry.[17][18]

S0396 EvilBunny

EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.[19]

G0120 Evilnum

Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. [20]

S0679 Ferocious

Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds.[21]

S0182 FinFisher

FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.[22]

C0001 Frankenstein

During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.[23]

S0588 GoldMax

GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.[24][25]

S0531 Grandoreiro

Grandoreiro can detect VMWare via its I/O port and Virtual PC via the vpcext instruction.[26]

S0237 GravityRAT

GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. [27]

S0561 GuLoader

GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call EnumWindows, and checking for Qemu guest agent.[28]

S0260 InvisiMole

InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.[29]

S0532 Lucifer

Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.[30]

S1048 macOS.OSAMiner

macOS.OSAMiner can parse the output of the native system_profiler tool to determine if the machine is running with 4 cores.[31]

S0576 MegaCortex

MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.[32]

S0637 NativeZone

NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.[33]

S0644 ObliqueRAT

ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.[34]

G0049 OilRig

OilRig has used macros to verify if a mouse is connected to a compromised machine.[35]

S0439 Okrum

Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.[36]

S0264 OopsIE

OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment.[3]

C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.[37]

S0352 OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as sysctl hw.model and the kernel boot time.[38][39][40]

S0626 P8RAT

P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.[41]

S0013 PlugX

PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".[42]

S0428 PoetRAT

PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.[43]

S0192 Pupy

Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.[44]

S0650 QakBot

QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.[45][46]

S0332 Remcos

Remcos searches for Sandboxie and VMware on the system.[47]

S0270 RogueRobin

RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. [48][49]

S0240 ROKRAT

ROKRAT can check for VMware-related files and DLLs related to sandboxes.[50][51][52]

S1018 Saint Bot

Saint Bot has run several virtual machine and sandbox checks, including checking if Sbiedll.dll is present in a list of loaded modules, comparing the machine name to HAL9TH and the user name to JohnDoe, and checking the BIOS version for known virtual machine identifiers.[53]

S1019 Shark

Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.[54]

S0226 Smoke Loader

Smoke Loader scans processes to perform anti-VM checks. [55]

S1086 Snip3

Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying Win32_ComputerSystem to extract the Manufacturer string.[56]

S0627 SodaMaster

SodaMaster can check for the presence of the Registry key HKEY_CLASSES_ROOT\Applications\VMwareHostOpen.exe before proceeding to its main functionality.[41]

S0559 SUNBURST

SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.[57]

S1064 SVCReady

SVCReady has the ability to determine if its runtime environment is virtualized.[58]

S0242 SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.[59][60]

S0094 Trojan.Karagany

Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.[61]

S0333 UBoatRAT

UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.[62]

G1017 Volt Typhoon

Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.[63]

S0612 WastedLocker

WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.[64]

S0689 WhisperGate

WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.[65]

S0248 yty

yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. [66]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

DS0009 Process OS API Execution

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.

Process Creation

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References

  1. Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021.
  2. Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.
  3. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  4. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  5. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  6. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  7. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  8. Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
  9. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  10. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  11. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  12. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  13. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  14. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
  15. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  17. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  18. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  19. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  20. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  21. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  22. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  23. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  24. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  25. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  26. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  27. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  28. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  29. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  30. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  31. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  32. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  33. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  1. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  2. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  3. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  4. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  5. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  6. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  7. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  8. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  9. Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
  10. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  11. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  12. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  13. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  14. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  15. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  16. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  17. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  18. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  19. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  20. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  21. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  22. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  23. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  24. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  25. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  26. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  27. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  28. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  29. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  30. Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
  31. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  32. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  33. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.