Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Share Post: Reddit Facebook
Malware adds Any.Run sandbox detection to evade analysis
#1
Quote:Malware developers are now checking if their malware is running in the Any.Run malware analysis service to prevent their malware from being easily analyzed by researchers.

Any.Run is a malware analysis sandbox service that lets researchers and users safely analyze malware without risk to their computers.


When an executable is submitted to Any.Run, the sandbox service will create a Windows virtual machine with an interactive remote desktop, and execute the submitted file within in it.

Researchers can utilize the interactive Windows desktop to see what behavior the malware is exhibiting, while Any.Run records its network activity, file activity, and registry changes.

Malware begins to detect if running in Any.Run

In a new password-stealing trojan spam campaign discovered by security researcher JAMESWT, malicious PowerShell scripts are downloading and installing malware onto a computer.

When the above script is executed, it will download two PowerShell scripts to the victim's computer that contain obfuscated and embedded malware.

The above script will decode the embedded malware and execute it on the computer.

When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan.

If it detects that the program is running on Any.Run, it will display the message 'Any.run Deteceted!' and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.

[Image: sfvCgbm.jpg]

Using this method, threat actors make it more difficult for researchers to analyze their attacks using an automated system.

When executed on a normal virtual machine, or a live system, the password-stealing Trojan would be allowed to execute and steal saved login credentials in browsers, FTP programs, and other software.

While this will not prevent a researcher from analyzing a particular malware using other methods, it does cause them to have to put more effort into the analysis.

With online malware analysis sandbox platforms becoming more commonly used by security researchers, we can expect to see more malware continue to target them.

SOURCE
Reply
#2
Thanks, tarekma7 for this info.
... So, how do we defend against this threat? ... Does anyone have any ideas or know of any anti-malware software to use to defend against this?
Reply
#3
Dr.Web Security Space

https://www.drweb.com/
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  World First Visual AI Based Malware Detection mrtrout 0 1,612 01-31-2023 , 04:41 AM
Last Post: mrtrout
  Glimpse malware uses alternative DNS to evade detection Mohammad.Poorya 0 2,242 11-11-2019 , 06:26 PM
Last Post: Mohammad.Poorya
  Malware Analysis - Deobfuscating Loyeetro Trojan-Spy baziroll 0 2,641 08-18-2017 , 12:49 AM
Last Post: baziroll
  Malware Analysis - Unpacking RunPE Loyeetro Trojan baziroll 0 2,483 08-09-2017 , 02:19 AM
Last Post: baziroll
  Malware Analysis - PortexAnalyzer Repair and Dump PE Files baziroll 0 2,715 08-07-2017 , 11:51 AM
Last Post: baziroll



Users browsing this thread: 1 Guest(s)