Virtualization Sandbox Evasion

ID

virtualization_sandbox_evasion

Severity

high

Resource

System

Tags

evader

Description

This detector aims to detect code performing checks to know if the system is a VM or a Sandbox.

Rationale

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.

In particular, this detector looks for code checking:

  • Browser renderer, since software renderers commonly indicate that the browser is running within a virtual machine.

  • Window color and size, since low values may indicate that the browser is running within a virtual machine.

  • Specific registry keys, like SOFTWARE\VMware, Inc.\VMware Tools, since it may indicate that the system is a virtual machine.

  • Specific file checks, like system32\drivers\VBoxVideo.sys, since it may indicate that the system is a virtual machine.

  • Specific WMI queries, like SELECT * FROM Win32_CacheMemory, since it may indicate that the system is a virtual machine.

Related Malware campaigns

This is a common feature that could be broadly found among malicious code. However, we can enumerate some popular variants using this technique:

  • MalwareHunterTeam discovered that Phishing sites are now using JavaScript to evade detection by checking whether a visitor is browsing the site from a virtual machine or headless device.

  • RATs, like RATDispenser, that is used to gain an initial foothold on a system before launching secondary malware that establishes control over the compromised device.

    Its shellcode employs several anti-analysis and anti-debugging tricks at every step of execution, and throws an error message if the shellcode detects any known analysis of debugging mechanisms or evidence that it’s running in a virtualized system.

References