Malware adds Sandboxing to evade analysis

Any.Run is a malware analysis sandbox service that lets researchers and users safely analyze malware without risk to their computers.

When an executable is submitted to Any.Run, the sandbox service will create a Windows virtual machine with an interactive remote desktop, and execute the submitted file within in it.

Researchers can utilize the interactive Windows desktop to see what behavior the malware is exhibiting, while Any.Run records its network activity, file activity, and registry changes.

In a new password-stealing trojan spam campaign discovered, malicious PowerShell scripts are downloading and installing malware onto a computer.

If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it

Using this method, threat actors make it more difficult for researchers to analyze their attacks using an automated system.

When executed on a normal virtual machine, or a live system, the password-stealing Trojan would be allowed to execute and steal saved login credentials in browsers, FTP programs, and other software.

While this will not prevent a researcher from analyzing a particular malware using other methods, it does cause them to have to put more effort into the analysis.

With online malware analysis sandbox platforms becoming more commonly used by security researchers, we can expect to see more malware continue to target them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s