Sandbox Bypass and Virtualization Detection Using PT Sandbox as an Example

When it comes to sandboxes, everyone imagines a virtual machine stuffed with various tools to track the actions of suspicious software. And most products work that way. Therefore, the question arises – what if the malware detects a fake environment and shuts down? Here, opinions differ: someone will say that we can do a good job in a virtual way by changing the values ​​of the characteristics of the environment (hardening) in which the malware will look for a catch. Others believe that this game is not worth the candle. Nevertheless, the very fact of an attempt to conduct reconnaissance and determine the property of the environment is a suspicious action that is uncharacteristic for most legitimate software. Of course, this behavior is not enough to make an unambiguous conclusion about the malicious purposes of the software, however, in combination with other signs, it deserves special attention of the security guard.

It’s easy to find examples of utilities on the Internet (one, second) that combine several well-known techniques for detecting sandboxes, virtualization, or just an environment for analyzing malware (debugging tools, sniffers, monitors). These knowledge bases are replenished by the findings of researchers themselves who are looking for new methods, and by the methods extracted in the analysis of malware. For the so-called mass malware, which is designed to infect an arbitrary system, the ability to determine the wrong environment is vital, because the chance that it will soon get into the malware analysis tool or to a machine with installed antivirus is extremely large, which means you should not be able to impersonate as long as possible.

With targeted attacks, the situation is changing. Before conducting such an attack, attackers collect as much information about the target as possible, which means they sometimes understand that there is no need to carefully mask from virtual environments after a successful infection. In addition, not all actions can be regarded as suspicious, especially if they are not accompanied by excessive attempts by the malvari to protect themselves. Also, do not forget that in a number of organizations (for example, software developers) the existence of a virtual infrastructure is a typical situation.

In this article, we’ll look at a few examples of sophisticated malware used in targeted attacks and show how we identify attempts to circumvent an inappropriate technology environment. T1497 and T1063 from MITER ATT & CK.

PlugX .NET Wrapper

MD5: ca8042a6d13751ef5c908cf5bc334600

PlugX can be called a classic backdoor; it has been known for over 10 years. It is widely used mainly by malefactors from Asian countries (including APT-groups). Its new modifications are still being discovered. As an example, we have taken .NET executable PE file. This is just a wrapper for PlugX. The dropper checks if the vmtoolsd process exists in the system; if not, it implements a shell code to unpack and launch the backdoor payload.

Vmtoolsd process search

In order to find the process we need, you need to get a list of all the processes in the system. By removing the related calls, we run into the kernel function call NtQuerySystemInformation (hereinafter, we will use the Nt prefix instead of Zw so that there is no discrepancy with the cuts from the event logs) with the field value SystemInformationClassequal to Systemprocessinformation, or 0x5:

syscall Time = ?????? 9276.891649, PID = 2996, PPID = 1368, TID = 2848, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method =NtQuerySystemInformation, Module = “nt”, vCPU = 1, CR3 = 0xC7FA000, Syscall = 51,SystemInformationClass = 0x5, SystemInformation = 0x4C36A0, SystemInformationLength = 0x20400, ReturnLength = 0x8DEF0

By the way, you can check the result with a simpler example by following the call to the well-known CreateToolhelp32Snapshot API function from kernel32:

Calling NtQuerySystemInformation from ntdll during the operation of the CreateToolhelp32Snapshot function from kernel32

Calling a kernel function in an NtQuerySystemInformation function from ntdll

As a result, we treat the intercepted call as an attempt to enumerate processes in the system with the resulting suspicious behavior Read.Process.Name.Enumeration.

{
	"detect.name": "Read.Process.Name.Enumeration",
	"detect.type": "suspicious",
	"process.id": "2996",
	"process.name": "***.exe",
	"unixtime": "??????9276.891649"
}

Pipemon

SHA1: 93628ed36d3b70c685be8a3436bd489a

We give a more recent example. May 21 our ESET colleagues published article about the new PipeMon backdoor of the apt group Winnti, a well-known successful attacks on the supply chain (supply chain) and infections large organizations from the gaming industry. This time they used a new malware that uses a variety of named pipes to communicate between their modules. During the installation process, before introducing the main and watchdog modules into the process, one of the components checks whether the ESET process (ekrn.exe) and Kaspersky (avp.exe) It is curious that the presence of anti-virus software is not an obstacle: the malware continues its activity by choosing another victim process, bypassing detection in an attempt to infiltrate the protected process. Not the most difficult technique, but we could not pass by, on the one hand, a recent, on the other – a bold case, which is similarly defined as suspicious behavior Read.Process.Name.Enumeration.

Cozyduke

MD5: 3d3363598f87c78826c859077606e514

APT Cozy Bear (aka APT29, The Dukes, YTTRIUM) is one of the groups whose members presumably speak Russian. Their activity has been known since 2008, and a malicious campaign Operation ghost shows that the quality of the malware they use is still high. We focus on one of the group’s flagship backdoors – CozyDuke. At the beginning of its work, to detect anti-virus software (Kaspersky, Dr.Web, Avira), the malware launches WMI requests SELECT * FROM AntiVirusProduct and SELECT * FROM FireWallProduct.

In addition, the backdoor searches for antivirus products in the list of installed software by listing the registry branch SOFTWARE Microsoft Windows CurrentVersion Uninstall. WMI calls are monitored by monitoring the use of the COM interface {4590F811-1D3A-11D0-891F-00AA004B2E24} (CLSID_WbemLocator) by calling the CoCreateInstanse API and further parsing object class structures:

wmimon Time = ?????? 9653.749016, PID = 556, PPID = 1476, TID = 1256, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ConnectServer, Resource = “root SecurityCenter2”

wmimon Time = ?????? 9653.865526, PID = 556, PPID = 1476, TID = 1256, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ExecQuery, Command = “SELECT * FROM AntiVirusProduct

wmimon Time = ?????? 9654.718217, PID = 556, PPID = 1476, TID = 1256, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ExecQuery, Command = “SELECT * FROM FireWallProduct

Access to the registry is fixed by calling the NtEnumerateKey kernel function:

regmon Time = ?????? 9653.942010, PID = 556, PPID = 1476, TID = 1256, ProcessName = ” Device HarddiskVolume2 ******. exe”, Method = NtEnumerateKey, Key = ” REGISTRY MACHINE SOFTWARE MICROSOFT WINDOWS CURRENTVERSION UNINSTALL “

As a result, we get suspicious events. Create.Query.WMI.CheckVM and Read.Registry.Key.CheckInstalledSoft:

{
	"detect.name": "Create.Query.WMI.CheckVM",
	"detect.type": "suspicious",
	"process.id": "556",
	"process.name": "***.exe",
	"unixtime": "??????9653.865526"
}
{
	"detect.name": " Read.Registry.Key.CheckInstalledSoft ",
	"detect.type": "suspicious",
	"process.id": "556",
	"process.name": "***.exe",
	"unixtime": "??????9653.942010"
}

Dangerous CozyDuke behavior detected by PT Sandbox

Zebrocy AutoIt loader

MD5: 4d552f8927599915990c27fd606bd82f

APT Fancy Bear (aka APT28, Sofacy, Sednit) is one of the most advanced groups. They are authored by dozens of backdoors, proxing trojans and info-dealers: the Xagent, Xtunnel, Sedreco, Downdelph, and other Trojan families. The creators of the world’s first UEFI rootkit LoJax not limited only malware for Windows. We will look at a sample of the malicious Zebrocy family written in AutoIt. An additional packaging layer using UPX does not complicate the production of an Au3-interpreted script that checks for the presence of VMware, VirtualBox or Parallels virtual environment processes:

Search for VMware, VirtualBox, or Parallels Processes

Such activity is recorded by the previously considered suspicious behavior. Read.Process.Name.Enumeration.

It is worth noting that since 2013, other programming languages ​​have been used to create Zebrocy variations: Delphi, C #, Python, as well as Go, which has gained popularity. In one of the samples on Go (MD5: f3ec38b8d5a6e29db299e2eadacbcebe), we found a simple but very effective trick for bypassing the sandbox: the trojan checks that the library’s own name (the malware is an OLE control that is registered in the system using regsvr) starts with a substring sap_. The chance that malware accidentally entered the system for analysis will be correctly named is very small. For successful operation, you will need to start the infection chain from the very beginning, which does not guarantee that the Zebrocy bootloader will be received as a payload from the management server.

Decoding spa_ string in Zebrocy Go

Smokeloader

MD5: 5fc6f24d43bc7ca45a81d159291955d1

We decided to include the well-known malicious SmokeLoader bootloader in the list of families under consideration, since it would seem that its rather simple purpose (load and run the payload) is accompanied by many tricks, complicating his analysis. Note that we observed cases of the use of this malware by a hacker group TA505.

SmokeLoader reads registry key values ​​to discover virtualization tools System CurrentControlSet Enum IDE and System CurrentControlSet Enum SCSI and searches for substrings of QEMU, VirtualBox, VMware, and Xen virtualization products in them:

regmon Time = ?????? 6940.916639, PID = 2168, PPID = 2716, TID = 2848, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtOpenKeyEx, Key = “ REGISTRY MACHINE System CurrentControlSet Enum IDE

In addition, the malware checks whether it is running under debugging by accessing the API function NtQueryInformationProcess with parameter value ProcessInformationClassequal to Processdebugport:

syscall Time = ?????? 6940.915990, PID = 2168, PPID = 2716, TID = 2848, ProcessName = ” Device HarddiskVolume2 *. exe”, Method =NtQueryInformationProcess, Module = “nt”, vCPU = 1, CR3 = 0x1F861000, Syscall = 22, ProcessHandle = 0xFFFFFFFFFFFFFFFF,ProcessInformationClass = 0x7, ProcessInformation = 0x8EBD0, ProcessInformationLength = 0x8, ReturnLength = 0x8E310

Description of the values ​​of the ProcessInformationClass parameter, link

As a result, suspicious events are recorded. Read.Process.Info.AntiDebug and Read.Registry.Key.CheckVM:

{
	"detect.name": "Read.Process.Info.AntiDebug",
	"detect.type": "suspicious",
	"process.id": "2168",
	"process.name": "***.exe",
	"unixtime": "??????6940.915990"
}
{
	"detect.name": Read.Registry.Key.CheckVM",
	"detect.type": "suspicious",
	"process.id": "2168",
	"process.name": "*.exe",
	"unixtime": "??????6940.916639"
}

Note that SmokeLoader creates a copy of the ntdll library and imports from it all the necessary Nt-functions to work, thereby avoiding call tracing. This example reflects the benefits of intercepting calls at the kernel level, despite some limitations and implementation difficulties.

ROKRAT

MD5: bedc4b9f39dcc0907f8645db1acce59e

The ScarCruft APT group (also known as APT37, Group123, TEMP.Reaper) is associated with the Korean peninsula, and its goals are countries in Asia and the Middle East. Some researchers have summarized the ScarCruft activity cluster with the Lazarus group (HIDDEN COBRA), which is believed to be involved in the WannaCry epidemic in 2017.

The ROKRAT backdoor, like SmokeLoader, uses the anti-debugging technique using the API function NtQueryInformationProcess with parameter ProcessInformationClassequal to Processdebugportthereby creating a suspicious event Read.Process.Info.AntiDebug. In addition, it receives the key value SystemBiosVersion registry branches HARDWARE DESCRIPTION System To define a virtualization environment:

regmon Time = ?????? 8504.062491, PID = 3448, PPID = 1476, TID = 2032, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryValueKey, Key = “ REGISTRY MACHINE HARDWARE DESCRIPTION SYSTEM“, ValueName =”SystemBiosVersion

Another trick: checking the list of library names of the analysis tools (SbieDll.dll, dbghelp.dll, api_log.dll, dir_watch.dll) and whether they are loaded into the address space of the malware:

librarymon Time = ?????? 8504.052513, PID = 3448, PPID = 1476, TID = 2032, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = LdrGetDllHandle, ModuleName = “SbieDll.dll“, ModulePath =” “

librarymon Time = ?????? 8504.053067, PID = 3448, PPID = 1476, TID = 2032, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = LdrGetDllHandle, ModuleName = “dbghelp.dll“, ModulePath =” “

librarymon Time = ?????? 8504.053635, PID = 3448, PPID = 1476, TID = 2032, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = LdrGetDllHandle, ModuleName = “api_log.dll“, ModulePath =” “

librarymon Time = ?????? 8504.054151, PID = 3448, PPID = 1476, TID = 2032, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = LdrGetDllHandle, ModuleName = “dir_watch.dll“, ModulePath =” “

Thus, we get two more suspicious responses: Read.Registry.Key.CheckBios and Read.File.Module.CheckVM:

{
	"detect.name": "Read.Registry.Key.CheckBios",
	"detect.type": "suspicious",
	"process.id": "3448",
	"process.name": "***.exe",
	"unixtime": "??????8504.062491"
}
{
	"detect.name": "Read.File.Module.CheckVM",
	"detect.type": "suspicious",
	"process.id": "3448",
	"process.name": "***.exe",
	"unixtime": "??????8504.054151"
}

Oopsie

MD5: 5998ef679682878e68d5ac4a1733fac5

The OilRig group (APT34, HELIX KITTEN) has been attacking targets for more than five years mainly in the Middle East region. In April 2019 has occurred The group’s toolkit leak, which allowed them to better understand the criminals’ techniques. And in October of that year It revealedthat another Turla APT group hacked into OilRig’s infrastructure for future use in its campaigns.

The OopsIE backdoor runs a series of already familiar WMI requests for sandbox detection:

wmimon Time = ?????? 4570.575516, PID = 852, PPID = 1476, TID = 2668, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ExecQuery, Command = “Select * from Win32_PointingDevice

wmimon Time = ?????? 4574.405101, PID = 852, PPID = 1476, TID = 2668, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ExecQuery, Command = “Select * from Win32_DiskDrive

wmimon Time = ?????? 4575.607899, PID = 852, PPID = 1476, TID = 2668, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = ExecQuery, Command = “Select * from Win32_BaseBoard

Checks library SbieDll.dll in its address space:

librarymon Time = ?????? 4575.807535, PID = 852, PPID = 1476, TID = 2668, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = LdrLoadDll, ModuleName = “SbieDll.dll“, ModulePath =” “

As suspicious we receive events Create.Query.WMI.CheckVM and Read.File.Module.CheckVM.

Lo2

MD5: 22f41b6238290913fc4d196b8423724d

In November 2019, we published Donot Team activity study (APT-C-35, SectorE02). Of interest is the malicious Lo2 loader, which is an intermediate link in loading the components of yty – a modular malicious framework.

After launch, Lo2 tries to determine the installed Avast and eScan antivirus software by checking for the existence of directories as a result of product installation:

filetracer Time = ?????? 7260.502664, PID = 2648, PPID = 1368, TID = 1684, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryAttributesFile, FileName = “ ?? C: Program Files eScan“, FileHandle = 0x0, OBJ_CASE_INSENSITIVE = 1

filetracer Time = ?????? 7260.503217, PID = 2648, PPID = 1368, TID = 1684, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryAttributesFile, FileName = “ ?? C: Program Files (x86) eScan“, FileHandle = 0x0, OBJ_CASE_INSENSITIVE = 1

filetracer Time = ?????? 7260.503750, PID = 2648, PPID = 1368, TID = 1684, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryAttributesFile, FileName = “ ?? C: Program Files Avast Software“, FileHandle = 0x0, OBJ_CASE_INSENSITIVE = 1

filetracer Time = ?????? 7260.504231, PID = 2648, PPID = 1368, TID = 1684, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryAttributesFile, FileName = “ ?? C: Program Files (x86) Avast Software“, FileHandle = 0x0, OBJ_CASE_INSENSITIVE = 1

As a result, we get a suspicious event Read.File.Name.CheckAntivirus:

{
	"detect.name": "Read.File.Name.CheckAntivirus",
	"detect.type": "suspicious",
	"process.id": "2648",
	"process.name": "***.exe",
	"unixtime": "??????7260.504231"
}

To find the virtual environment, use the I / O port 0x5658. It is used by VMware to interact with the virtual machine.

VMware Lo2 Detection

It is difficult to notice the use of such a technique in analyzing behavior. Since the sequence of calls is rarely obfuscated and most often copied as a sequence of assembler instructions in a row, it can be detected by scanning a recorded memory dump of a malicious process. An example of a detecting YARA rule:

rule tool_mem_ZZ_antiVM__Risktool__VMwarePort{
	strings:
		$asm_code_x86 = {
			BB 00 00 00 00
			B9 0A 00 00 00
			BA 58 56 00 00
			ED
			81 FB 68 58 4D 56
		}
	condition:
		any of them
}

Finfisher

MD5: a7b990d5f57b244dd17e9a937a41e7f5

In 2018, we carried out a webinar presenting a study of the features of FinFisher spyware (FinSpy), developed by Gamma Group. Below is a list of actions aimed at circumventing the sandbox:

  • Checks key DigitalProductId registry branches SOFTWARE Microsoft Windows NT CurrentVersion for the content of the following lines: “55274-649-6478953-23109”, “A22-00001”, “47220”.

regmon Time = ??????7840.046022, PID = 2724, PPID = 1324, TID = 2648, ProcessName = ” Device HarddiskVolume2 ***. Exe”, Method = NtQueryValueKey, Key = “ REGISTRY MACHINE SOFTWARE WOW6432NODE MICROSOFT WINDOWS NT CURRENTVERSION“, ValueName =”DigitalProductId

  • Checks key SystemBiosDate registry branches HARDWARE Description System on the equality of the line “01/02/03”.

regmon Time = *** 7840.051014, PID = 2724, PPID = 1324, TID = 2648, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method = NtQueryValueKey, Key = “ REGISTRY MACHINE HARDWARE DESCRIPTION SYSTEM“, ValueName =”SystemBiosDate

  • Checks the names of processes and drivers through an API function call NtQuerySystemInformation.

syscall Time = ?????? 7827.116200, PID = 2724, PPID = 1324, TID = 2648, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method =NtQuerySystemInformation, Module = “nt”, vCPU = 1, CR3 = 0x51C15000, Syscall = 51,SystemInformationClass = 0x5, SystemInformation = 0x4036E0, SystemInformationLength = 0x10400, ReturnLength = 0x9BE290

  • Invokes an API Function NtSetInformationThread with parameter ThreadInformationClassequal to 0x11 (HideFromDebugger)

syscall Time = ?????? 7835.094102, PID = 2724, PPID = 1324, TID = 908, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method =NtSetInformationThread, Module = “nt”, vCPU = 1, CR3 = 0x4E1FC000, Syscall = 10, ThreadHandle = 0xFFFFFFFFFFFFFFFE,ThreadInformationClass = 0x11, ThreadInformation = 0x0, ThreadInformationLength = 0x0

  • Invokes an API Function NtQueryInformationProcess with parameter ProcessInformationClassequal to 0x7 (DebugPort).

syscall Time = ?????? 7841.348199, PID = 2724, PPID = 1324, TID = 2648, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method =NtQueryInformationProcess, Module = “nt”, vCPU = 0, CR3 = 0x51C15000, Syscall = 22, ProcessHandle = 0xFFFFFFFFFFFFFFFF,ProcessInformationClass = 0x7, ProcessInformation = 0x9BEC20, ProcessInformationLength = 0x8, ReturnLength = 0x9BE360

  • Invokes an API Function NtQueryInformationProcess with parameter ProcessInformationClassequal to 0x1e (ProcessDebugObjectHandle)

syscall Time = ?????? 7841.348624, PID = 2724, PPID = 1324, TID = 2648, ProcessName = ” Device HarddiskVolume2 ***. exe”, Method =NtQueryInformationProcess, Module = “nt”, vCPU = 0, CR3 = 0x51C15000, Syscall = 22, ProcessHandle = 0xFFFFFFFFFFFFFFFF,ProcessInformationClass = 0x1E, ProcessInformation = 0x9BEC20, ProcessInformationLength = 0x8, ReturnLength = 0x9BE360

As a result, we get a list of suspicious events:

  • Read.Registry.Key.DigitalProductId,
  • Read.Registry.Key.CheckBios,
  • Read.Process.Name.Enumeration.
  • Write.Thread.Info.AntiDebug,
  • Read.Process.Info.AntiDebug.

FinFisher Dangerous Behavior Detected by PT Sandbox

Conclusion

In this article, we examined some techniques for detecting environments that are not suitable for malware: anti-debugging techniques, virtualization detection, and the presence of antivirus software. We examined various malicious families of complex trojans and APT attack tools as examples. Of course, the variety of approaches used cannot be compared with harvesters recognition of analyzing machines. Nevertheless, the techniques are used, although not the most advanced ones, but an additional item in the graph of detections will never hurt.

Author: Alexey Vishnyakov, Senior Specialist, Threat Research Group, Positive Technologies Security Center

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *