HomeService Updates
Hide Traces of Sandbox Usage from Your Traffic with Residential Proxy 
HomeService Updates
Hide Traces of Sandbox Usage from Your Traffic with Residential Proxy 

In ANY.RUN, we have proprietary mechanisms in place to keep malware from realizing it’s in a sandbox. We’re rolling out another feature to mask sandbox activity — Residential proxy (RP). Now, you’ll be able to allocate a home users’ IP address to your VMs, effectively erasing any traces that can hint at a sandbox environment from your network traffic. 

Here’s what it means in practice: 

  • Understand malware behavior better: because malware won’t detect sandbox or data center’s IP, it willbehave normally, allowing for accurate analysis. 
  • Bypass geo-restrictions: emulate local users to analyze region-specific threats. 
  • Investigate C2 traffic without giving yourself away: your connection will mimic an infected user.  

Residential proxy’s greatest power is in analysis of geo-targeted attacks — especially when dealing with phishing. In some phishing campaigns, users are rerouted to different pages based on their geographic location. And some attacks analyze if the traffic is coming from a hosting to detect sandboxes. But with our new feature, you can effectively sidestep these detection attempts. 

Here’s how it all works in practice. 

Avoid anti-analysis techniques 

In our initial analysis of this Xworm sample, we ran into a challenge. The sample is designed to detect traffic from a host and stops executing if it detects a sandbox environment. It sends a request to ip-api[.]com, checking for the ‘hosting’ parameter. If the returned response is ‘true’, execution is aborted. 

Here’s how the network stream looks like without Residential proxy: 

Network stream without Residential proxy

Typically, malware employs this strategy to evade sandboxes, assuming that regular user traffic wouldn’t originate from a hosting service. 

We can evade detection by activating the Residential proxy and re-running the task:  

Activating the Residential proxy in ANY.RUN

To do so, simply check the Residential proxy checkbox during your environment configuration. Then, choose the geolocation of your IP. 

This time around, ip-api[.]com responds with a ‘false’ when queried if the traffic originates from a hosting site. As a result, the sample executes fully. This evasion worked because the Residential proxy masked the hosting origin of the traffic. 

Analyze geo-targeting phishing websites more accurately 

Now, you can also use the Residential proxy to analyze geo-targeted phishing campaigns faster and better. Some phishing websites target users from a particular country, verifying their origin before displaying the page. If the users — or analysts — aren’t from the target country, they’re left staring at a blank screen.  

Here’s an example of a suspicious website suspicious that targets users from Italy. Noticing that its domain name was registered 2 weeks ago at the time of analysis, we decided to investigate further. But first, we analyzed it without selecting a proxy. 

Sample analysis without selecting a proxy. 

Predictably, the webpage hasn’t loaded. But we can fix this by setting the proxy to Italy and re-launching the task. Here’s the same website with proxy set to Italy

Sample analysis with proxy set to Italy

That’s better!  

That’s how the Residential proxy improves our ability to analyze malicious and potentially harmful samples and websites. It gives analysts the tools they need to extract maximum information from each analysis. 

Apply for 14 days free trial of ANY.RUN to test this feature. 

What do you think about this post?

2 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.