New research by Outpost24 has revealed that malware developers are using sandbox evasion techniques to avoid exposing malicious behaviour inside a sandbox where malware is analysed by security researches. Outpost24’s threat intelligence team, KrakenLabs, discovered that malware developers are using trigonometry to detect human behaviour based on cursor positions to avoid automated security analysis.
The Malware-as-a-Service (MaaS) model poses a significant threat in the realm of cybersecurity. This model allows individuals or groups with limited technical expertise to access and deploy sophisticated malware tools and services, often developed by more skilled cybercriminals. The ease of access to such malicious tools has contributed to an increase in the number and complexity of cyberattacks.
Anti-analysis techniques have been the bane of many security analysts, as they have been included in malware practically since its inception. As the name implies, these techniques are designed to prevent the analysis and understanding of the software they are meant to protect, typically by making it harder to understand when looking at the “code” or by preventing the execution of the malware in controlled environments. Like every other aspect of cybersecurity, malware developers have been playing a game of cat and mouse with security analysts, developing new techniques to detect these environments, while security analysts work on techniques to disable or undo them.
Since December 2022, LummaC2, an information stealer written in C language, has been sold in underground forums. KrakenLabs previously published an in-depth analysis of the malware assessing LummaC2’s primary workflow, its different obfuscation techniques, and how to overcome them to effectively analyse the malware with ease. The malware has since gone through different updates and is currently on version 4.0. Among other updates, version 4.0 has included a new Anti-Sandbox technique to delay detonation of the sample until human mouse activity is detected.
In the blog post, published today, the KrakenLabs team deep dive, with highly technical insight, into the Packer, as well as the Control Flow Flattening technique. Control Flow Flattening is an obfuscation technique aimed at breaking the original flow of the program and complicating its analysis. Additionally, it makes use of opaque predicates and dead code to complicate analysis and make identification of relevant blocks more difficult.
LummaC2 v4.0 makes use of a novel anti-sandbox technique that forces the malware to wait until “human” behaviour is detected in the infected machine. This technique takes into consideration different positions of the cursor in a short interval to detect human activity, effectively preventing detonation in most analysis systems that do not emulate mouse movements realistically.
The threat researchers also found that advertisements in underground forums describe protecting the malware with a crypter is recommended to avoid leaking the malware anywhere in its pure form. Newer versions of the malware added a new feature to avoid leaking the unpacked samples.
To protect against threats similar to these, advanced threat detection, alongside user education and regular software updates is key. Earlier this month, Outpost24 announced updates to their CORE platform, with complete visibility of technology assets and threat exposure.