The journey of malware families evade sandbox

Venkatachalabathy S.R., Harikrishanan M./McAfee

In recent years, malware threat landscape grows exponential and employ various evasion technique to dodge behavioral analysis and detection. The dominant category of evasion falls on sandbox evasion technique since defenders uses sandbox as part of the ecosystem to replicate the malicious files in an automated and controlled virtualized environment and gather the behaviour information within a short span of time.

As malware authors aware of the sandbox technologies, they employed malwares with sandbox evasion techniques and mimic malware file to behave as benign file inside sandbox environment and shows the malicious payload only in physical machine (ie., non-virtualized environment). As malware authors develop more new evasion techniques to hide from sandbox radar, consequence of it, defenders make various improvement to their sandbox technology to identify the sandbox evasion and defeat it. The improvement cycle done by defenders to protect against malwares and attackers to thwart from sandbox detection is never ending story which resembles Cat and Mouse game.

In this paper we will explain what improvement done by malware authors towards new sandbox evasion and reuse of old sandbox evasion techniques in recent ransomwares, bots, Advanced Persistent Threats and how malware authors use Windows API`s, office features and functionalities of virtualized environment to achieve sandbox evasion and defeat detection. Some of the latest evasion technique seen in malware families in recent year will be covered in the paper includes:

  1. 1. How windows WMI query misused by malware authors to gathers the system information’s?
  2. 2. How Thermal zone temperature used to evade from sandbox?
  3. 3. How country check evades sandbox detection?
  4. 4. How file-less technique employed by malware authors to evade from traditional sandbox product (focus mainly on file, registry and network activities).?
  5. 5. How steganography payload evades sandbox detection?
  6. 6. How VBA stomping evade the sandbox detection based only on VBA source code?
  7. 7. And many more.

This paper will also cover how defender of sandbox product bypasses sandbox evasion developed by malware authors and provide detection solutions coverage through behavior API’s, normalized assembly function and Machine learning.

November 7 at 15:00 - 15:30, Stage A

Venkatachalabathy S.R. Currently working at McAfee as a Research Lead. He has 12+ years of work experience in Security Industry , have good knowledge and exposure on Anti-virus and Sandbox Technology. His experience includes Malware Analysis, Reverse Engineering and Threat Hunting. Prior to McAfee he worked for Computer Associate Antivirus and Comodo Antivirus products . His hobbies includes reading and listing to music.

Harikrishanan Mutu Currently working as a Security Researcher at McAfee as part of Advance Threat Detection (ATD) I started my career since 2014 and have been involved in multiple roles like Threat hunting, create generic solution for PE and non-PE files though behaviour and signature based detection, work towards sandbox evasions threats, targeted threats , maintain in house Threat Intelligence platform to improve sandbox detection efficacy. Prior to McAfee i worked for Comodo Antivirus Product. In my free time i used to do travel and exploring new places.