Hackers are a lot better at breaching secure systems than most organizations are at detecting threats. This is not a speculative remark.
A study examined cybersecurity in government and private sectors, found out that over 90% of networks had vulnerabilities that could lead to breaches.
It’s super easy to get infected. Sometimes all that is needed is to carelessly open a CV.
For example, In October 2021, researchers found a backdoor trojan that managed to slip past a whopping 56 security products. The sample, designed to be invisible to end-point detection and antivirus software, targeted HR departments in organizations and dropped the payload from a resume file titled “Roshan-Bandara-CV.” (If your own HR team encounters this gentleman’s inquiry, do proceed with caution.)
How, then, can you improve the security of your organization without giving your cyber defense a complete overhaul?
One way is to check suspicious files and links with a malware sandbox.
What is a malware sandbox?
You may already be using antivirus and thinking you’re fully protected. However, AV software is just one layer of a robust cybersecurity system.
- Antiviruses are reactive systems. They rely on the ability to detect known malicious behavior and kill dangerous applications or processes before they can do harm. Since they can’t react to threats they don’t recognize, they are inherently imprecise.
- Malware sandboxes provide a safe environment to detonate malware, collect data, and decide if a file or a link can be trusted. By isolating a sample in a virtual machine, they allow potential malware to rampage through a confined system, leaving behind indicators of compromise.
These tools are best used in conjunction, and neither is completely bulletproof on its own.
That said, sandboxes have a clear advantage in detecting threats, especially when malware execution is conditional. Here’s why:
- Sandboxes are configurable. Analysts can detect evasive malware by changing locale settings. This helps identify samples that target particular regions by, for example, setting a system language.
- Sandboxes are interactive. Some malware begins executing only after specific system or user events. In an interactive sandbox, analysts can click on files, run programs, type, or reboot the system.
- Sandboxes are great at presenting in-depth data. Researchers can use sandboxes to detect malware like Advanced Persistent Threats by looking at the execution events in-depth and studying them through the whole lifecycle of the sample.
Let’s look at how this tool helps detect malicious files and links using ANY.RUN malware sandbox as an example.
1. Check malicious links and files on the fly
By checking suspicious files and links in ANY.RUN, you can clear them in real-time.
In the task with a cross-site scripting attack, hackers created a fake OneDrive login page. If you follow the link carelessly and input your credentials, it steals your email and password before redirecting you to a legitimate Microsoft resource.
ANY.RUN can detect this malicious activity by intercepting transmitted packets and analyzing their contents. The service gives a clear warning — this fake webpage is sending your confidential info to somewhere no-good.
2. Analyze the data stream of malicious files and links
It is not uncommon for malware to transmit stolen data in plain text. A .txt file is created, filled with whatever the stealer could pinch, and sent to a server hosted by the attacker.
In the network stream example, we can see how Mass Logger does exactly this, forwarding stolen logins and passwords. ANY.RUN can spot and flag such activity.
Just copy and paste the domain name, login, and password to monitor the information stream from the afflicted machine.
3. Change locale to detect malware
There is malware that only executes in systems with a specific set language, timezone, or keyboard layout.
For instance, in the Raccoon Stealer task stopped executing if you picked the Belarus locale (be-BY).
We can force the sample to run by restarting the task and setting the locale to the United States (en-US). Right away, we can see indicators of compromise beginning to build up in the list: the sample connects to the control server and ANY.RUN quickly flags it as Raccoon malware.
Changing locale was the difference between spotting a dangerous program or letting it slip through and lead to a potential data breach.
4. Force malware to run with a system reboot
Some malware samples are dormant until a reboot. ANY.RUN allows analysts to restart the OS, helping to find such variants.
After giving it the old “turning it off and on again,” the malware is put into an active state, and analysts can monitor its behavior.
In this Nanocore example, the sample stops running quickly after adding itself to the startup folder. This is enough to hide from most antivirus products, and a lot of malware families use this tactic.
Particularly, after adding the y6s2gl.exe process to a startup folder, no new processes are created. With a system reboot, we can force the malware to resume execution and identify it as Nanocore.
5. Access the analysis results instantaneously
In the event of a breach, every second matters. Waiting even a minute for a report to form can mean the difference between staying safe or dealing with the destructive consequences of an infection.
In this Agent Tesla task ANY.RUN is able to pinpoint the malware family in 10 seconds.
The virtual machine loads instantly and gives hands-on control over the analysis. We can track the execution events as they appear and collect indicators of compromise as they are recorded.
With these 5 use cases, you can detect malicious programs of any complexity and dramatically reduce the risk of exposing your system to malware.
ANY.RUN sandbox is completely free to use, requiring only your business email to create an account. The free version’s functionality supports all use cases we’ve covered in this article.
Most importantly, remember that it’s a dangerous online world out there. Stay vigilant, and check suspicious files and links. And don’t hide your head in the sand. Use a sandbox instead.