Threat actors constantly enhance their hacking skills and use innovative techniques to spread malware on targeted devices. They often use a combination of advanced methods to escape security scans and penetrate vulnerable devices.
Recently, security experts from Positive Technologies found threat actors combining sandbox evasion and anti-analysis methods in their malware distribution. The researchers analyzed 36 malware families that contain sandbox detection and evasion capabilities that have been active in the last 10 years. The findings suggest that 25% of that malware was active in 2019–2020. Nearly, 23% of Advance Persistent Threat (APT) groups globally used malware in cyberattack campaigns, and over 69% of the malware analyzed was used for espionage.
What is Sandbox?
A sandbox is an isolated testing environment that enables security admins to run programs or execute files without affecting the application or system. IT professionals use sandboxes to test new programming code and potentially malicious software.
There is a significant evolution of sandbox evasion and anti-analysis techniques from cybercriminals after security experts performed more investigations of malware samples. Positive Technologies researchers found that attackers used the same malware code in different attacking methods in different years to evade organizations’ security scans.
“This malware is used to perform reconnaissance and gather information about the target system. If attackers spot that the malware is running inside a virtual environment, such as a sandbox, they will not pursue this attack vector or download the payload. Instead, the malware goes dormant to maintain stealth,” said Olga Zinenko, senior analyst at Positive Technologies.
“Hackers do all they can to hide malicious functions from security researchers and avoid tripping any known indicators of compromise. Traditional defenses may not be able to detect malicious programs. For detecting today’s malware, we recommend analyzing file behavior in a secure sandbox environment. Using a sandbox enriches IOC databases and provides companies with information for improving cyber threat response,” said Alexey Vishnyakov, Head of Malware Detection at Positive Technologies.