Threat Research

Tailoring Sandbox Techniques to Hidden Threats

Securonix

Malware authors continually tweak techniques to evade automated detection, prompting tailored sandboxing approaches like dependency emulation and VMI-based SSL/TLS traffic decryption to improve detonation and visibility. Palo Alto Networks highlights how adapting sandboxing enhances detection through Advanced WildFire and improves insight into encrypted communications. #ATMSpitter #Sality

Keypoints

  • The article discusses dependency emulation as a way to detonate malware that would fail in sandbox environments due to missing DLLs.
  • File infector families such as Sality typically require specific libraries and may not detonate in sandboxes that lack them.
  • Dependency emulation detects missing dependencies and tells the executable that all requirements are met so the sample can run.
  • VMI SSL/TLS Decryption is introduced to observe TLS/SSL traffic without triggering malware defenses.
  • TLS handshakes and key exchange details, including master secrets, can be extracted in memory to enable traffic decryption with tools like Wireshark.
  • Adaptable sandbox design is emphasized as critical for staying ahead of evolving evasions and improving detonation rates with Advanced WildFire.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – Adapt sandbox to misrepresent dependencies so the sample detonates; “Dependency emulation is an approach we’ve recently prototyped and found useful to address this,” and “we lie to the executable that all of its dependency requirements are met.”
  • [T1071.001] Web Protocols – Use of TLS/SSL for C2 and payload delivery; “One solution we’ve found useful for this problem is to detect when TLS connections are being initiated and log the symmetric keys generated for the SSL/TLS connection using virtual machine introspection,” and Wireshark keylog decryption is described to view decrypted traffic.

Indicators of Compromise

  • [SHA-256] Malware sample hashes – c5b43b02a62d424a4e8a63b23bef8b022c08a889a15a6ad7f5bf1fd4fe73291f, a3b2de8f0d648f3e157300d0a88971919eb273b7d1c7b9ed023f26b5cc0ac3ca, and 1 more hash (Formbook SSL Decryption)

Read more: https://unit42.paloaltonetworks.com/tailoring-sandbox-techniques/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint