1. Home
  2. Techniques
  3. Enterprise
  4. 虚拟化/沙盒规避

虚拟化/沙盒规避

ID Name
T1497.001 环境指纹动态检测
T1497.002 沙盒环境感知型代码混淆

虚拟化/沙盒规避技术是攻击者用于检测并逃避虚拟化环境或沙盒分析的关键对抗手段,通过识别分析环境特征改变恶意代码行为,防止核心功能暴露。传统检测方法依赖静态环境特征比对(如特定注册表项、进程列表),防御方可利用行为监控、硬件指纹混淆等技术进行应对。但随着对抗升级,攻击者发展出更隐蔽的规避手法,形成多维立体的环境感知与动态适应体系。

当前虚拟化规避匿迹技术的核心演进方向体现在环境感知的智能化与对抗手段的体系化。攻击者构建多层次检测体系:在分析决策层,采用机器学习模型实现环境特征动态评估;在行为响应层,设计具备自修改能力的代码结构动态调整攻击策略。典型技术如环境指纹动态检测将传统特征检测升级为持续监测系统,通过微秒级时序分析捕捉虚拟化环境与物理硬件的本质差异;用户行为特征模拟则从人机交互维度构建双向对抗能力,既规避沙盒检测又增强社会工程攻击效果。这些技术的共性在于突破传统静态对抗模式,形成环境感知-决策-适应的实时对抗闭环。

匿迹技术的发展导致传统基于特征签名的沙盒检测体系面临严峻挑战。防御方需构建硬件可信验证机制,开发具备深度学习能力的动态分析环境,并引入威胁情报共享平台及时更新规避技术特征库。同时应加强物理设备与虚拟化环境的行为一致性校验,从硬件微架构层面提升环境模拟真实度。

ID: T1497
Sub-techniques:  T1497.001, T1497.002
Tactics: 防御规避, 环境测绘
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host forensic analysis, Signature-based detection, Static File Analysis
Contributors: Deloitte Threat Library Team; Sunny Neo
Version: 1.3
Created: 17 April 2019
Last Modified: 12 September 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

数据遮蔽

通过代码混淆,如根据运行时环境特征动态调整代码结构技术,采用加密命令或使用间接调用、多层嵌套的方式,混淆恶意命令的真实意图。在这一数据遮蔽手段的作用下,安全系统难以直接解读命令内容,无法直接判定恶意软件分析虚拟化或沙盒环境的行为是恶意活动。

时空释痕

攻击者通过动态检测虚拟化或沙盒环境,并根据环境条件调整恶意软件的行为,能够在时间和空间上分散其活动。通过长时间延迟触发和分级激活机制稀释攻击特征,如延迟执行链构造将恶意行为分散在数天甚至数周内,使沙盒无法在有限分析窗口捕获完整攻击链。

Procedure Examples

ID Name Description
S0331 Agent Tesla

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks.[1]
S0534 Bazar

Bazar can attempt to overload sandbox analysis by sending 1550 calls to printf.[2]
S0268 Bisonal

Bisonal can check to determine if the compromised system is running on VMware.[3]
S1070 Black Basta

Black Basta can make a random number of calls to the kernel32.beep function to hinder log analysis.[4]
S1039 Bumblebee

Bumblebee has the ability to perform anti-virtualization checks.[5]
S0484 Carberp

Carberp has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software.[6]
S0023 CHOPSTICK

CHOPSTICK includes runtime checks to identify an analysis environment and prevent execution on it.[7]
S0046 CozyCar

Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.[8]
G0012 Darkhotel

Darkhotel malware has employed just-in-time decryption of strings to evade sandbox detection.[9]
S0554 Egregor

Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.[10][11]

S0666 Gelsemium

Gelsemium can use junk code to generate random activity to obscure malware behavior.[12]
S0499 Hancitor

Hancitor has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads.[13]
S0483 IcedID

IcedID has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.[14]
S1020 Kevin

Kevin can sleep for a time interval between C2 communication attempts.[15]
S0455 Metamorfo

Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution.[16]

C0005 Operation Spalax

During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.[17]
S0147 Pteranodon

Pteranodon has the ability to use anti-detection functions to identify sandbox environments.[18]
S1130 Raspberry Robin

Raspberry Robin contains real and fake second-stage payloads following initial execution, with the real payload only delivered if the malware determines it is not running in a virtualized environment.[19]
S0148 RTM

RTM can detect if it is running within a sandbox or other virtualized analysis environment.[20]

G1031 Saint Bear

Saint Bear contains several anti-analysis and anti-virtualization checks.[21]
S1030 Squirrelwaffle

Squirrelwaffle has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms.[22][23]
S0380 StoneDrill

StoneDrill has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes.[24]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.
DS0009 Process OS API Execution

Monitor for API calls that may employ various means to detect and avoid virtualization and analysis environments. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required.
Process Creation

Virtualization, sandbox, user activity, and related discovery techniques will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.

References

  1. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  2. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  3. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  4. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  5. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  6. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You’re in a Black Hole, Stop Digging. Retrieved July 15, 2020.
  7. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  8. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  9. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  10. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  11. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  12. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  1. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  2. Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024.
  3. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  4. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  5. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  6. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  7. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  8. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  9. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  10. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  11. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  12. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.