<\/p>\n\n\n\n
How, then, can you improve the security of your organization without giving your cyber defense a complete overhaul?
<\/p>\n\n\n\n
One way is to check suspicious files and links with a malware sandbox.<\/p>\n\n\n\n
What is a malware sandbox?<\/h2>\n\n\n\n
You may already be using antivirus and thinking you\u2019re fully protected. However, AV software is just one layer of a robust cybersecurity system.
<\/p>\n\n\n\n
- Antiviruses <\/strong>are <\/strong>reactive systems. They rely on the ability to detect known malicious behavior and kill dangerous applications or processes before they can do harm. Since they can\u2019t react to threats they don\u2019t recognize, they are inherently imprecise.<\/li><\/ul>\n\n\n\n
- Malware<\/strong> sandboxes<\/strong> provide a safe environment to detonate malware, collect data, and decide if a file or a link can be trusted. By isolating a sample in a virtual machine, they allow potential malware to rampage through a confined system, leaving behind indicators of compromise.<\/li><\/ul>\n\n\n\n
These tools are best used in conjunction, and neither is completely bulletproof on its own.
<\/p>\n\n\n\nThat said, sandboxes have a clear advantage in detecting threats<\/a>, especially when malware execution is conditional. Here\u2019s why:
<\/p>\n\n\n\n- Sandboxes are configurable. <\/strong>Analysts can detect evasive malware by changing locale settings. This helps identify samples that target particular regions<\/a> by, for example, setting a system language.<\/li><\/ol>\n\n\n\n
- Sandboxes are interactive.<\/strong> Some malware begins executing only after specific system or user events. In an interactive<\/a> sandbox, analysts can click on files, run programs, type, or reboot the system. <\/li><\/ol>\n\n\n\n
- Sandboxes are great at presenting in-depth data.<\/strong> Researchers can use sandboxes to detect malware<\/a> like Advanced Persistent Threats by looking at the execution events in-depth and studying them through the whole lifecycle of the sample.<\/li><\/ol>\n\n\n\n
Let’s look at how this tool helps detect malicious files and links using ANY.RUN malware sandbox<\/a> as an example.
<\/p>\n\n\n\n1. Check malicious links and files on the fly<\/strong><\/h3>\n\n\n\n
By checking suspicious files and links in ANY.RUN, you can clear them in real-time.
<\/p>\n\n\n\nIn the task with a cross-site scripting attack<\/a>, hackers created a fake OneDrive login page. If you follow the link carelessly and input your credentials, it steals your email and password before redirecting you to a legitimate Microsoft resource.
<\/p>\n\n\n\nANY.RUN can detect this malicious activity by intercepting transmitted packets and analyzing their contents. The service gives a clear warning \u2014 this fake webpage is sending your confidential info to somewhere no-good.<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
2. Analyze the data stream of malicious files and links<\/strong><\/h3>\n\n\n\n
It is not uncommon for malware to transmit stolen data in plain text. A .txt file is created, filled with whatever the stealer could pinch, and sent to a server hosted by the attacker.
<\/p>\n\n\n\nIn the network stream example<\/a>, we can see how Mass Logger does exactly this, forwarding stolen logins and passwords. ANY.RUN can spot and flag such activity.
<\/p>\n\n\n\nJust copy and paste the domain name, login, and password to monitor the information stream from the afflicted machine.
<\/p>\n\n\n\n<\/figure><\/div>\n\n\n\n
3. Change locale to detect malware<\/strong><\/h3>\n\n\n\n
There is malware that only executes in systems with a specific set language, timezone, or keyboard layout.
<\/p>\n\n\n\nFor instance, in the Raccoon Stealer task<\/a> stopped executing if you picked the Belarus locale (be-BY).
<\/p>\n\n\n\nWe can force the sample to run by restarting the task and setting the locale to the United States (en-US). Right away, we can see indicators of compromise beginning to build up in the list: the sample connects to the control server and ANY.RUN quickly flags it as Raccoon malware<\/a>.
<\/p>\n\n\n\nChanging locale was the difference between spotting a dangerous program or letting it slip through and lead to a potential data breach.<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
4. Force malware to run with a system reboot<\/strong><\/h3>\n\n\n\n
Some malware samples are dormant until a reboot. ANY.RUN allows analysts to restart the OS, helping to find such variants.
<\/p>\n\n\n\nAfter giving it the old \u201cturning it off and on again,” the malware is put into an active state, and analysts can monitor its behavior.
<\/p>\n\n\n\nIn this Nanocore example, the sample stops running quickly after adding itself to the startup folder. This is enough to hide from most antivirus products, and a lot of malware families use this tactic.
<\/p>\n\n\n\nParticularly, after adding the y6s2gl.exe process to a startup folder, no new processes are created. With a system reboot, we can force the malware to resume execution and identify it as Nanocore<\/a>.<\/p>\n\n\n\n
<\/figure><\/div>\n\n\n\n
5. Access the analysis results instantaneously<\/strong><\/h3>\n\n\n\n
In the event of a breach, every second matters. Waiting even a minute for a report to form can mean the difference between staying safe or dealing with the destructive consequences of an infection.
<\/p>\n\n\n\n
- Sandboxes are great at presenting in-depth data.<\/strong> Researchers can use sandboxes to detect malware<\/a> like Advanced Persistent Threats by looking at the execution events in-depth and studying them through the whole lifecycle of the sample.<\/li><\/ol>\n\n\n\n
- Sandboxes are interactive.<\/strong> Some malware begins executing only after specific system or user events. In an interactive<\/a> sandbox, analysts can click on files, run programs, type, or reboot the system. <\/li><\/ol>\n\n\n\n
- Sandboxes are configurable. <\/strong>Analysts can detect evasive malware by changing locale settings. This helps identify samples that target particular regions<\/a> by, for example, setting a system language.<\/li><\/ol>\n\n\n\n
- Malware<\/strong> sandboxes<\/strong> provide a safe environment to detonate malware, collect data, and decide if a file or a link can be trusted. By isolating a sample in a virtual machine, they allow potential malware to rampage through a confined system, leaving behind indicators of compromise.<\/li><\/ul>\n\n\n\n
![\"fast](\"https:\/\/lh6.googleusercontent.com\/e45630cCgHuvuo-g4v-HM4fM2-SRNwN-4wuKpGYzaEWb_ozA82udMeIjo6iG5E16wvy7j6qziHlVS1HCEIIcG7bymffoGF8uWsJLlgeuuwrHvCa9f5qeF_wGIVr9biN4sHRzSH86-7PEw_3Ce4aF_d1-rXtTl8qG1zOShKMsC8DMWxhPvmHtIl954NnYPA\")
<\/figure><\/div>\n\n\n\n