Malware detects multiple sandboxes, exits in 20 seconds

Feb 9, 2015 20:57 GMT  ·  By

Cybercriminals adept at social engineering take aim at corporate users luring them with fake emails purporting to be from Microsoft Volume Licensing Service Center and informing the recipient that they received administration permissions for handling volume licenses.

The message mimics the legitimate one from Microsoft and even includes personalized salutation, which is generally a mark of trust, since cybercriminals are less likely to have this information about the client.

Furthermore, the email address of the potential victim is available in the URL string, adding to its credibility.

Crooks are expert at social engineering tactics

The URL is in fact a hyperlink and hovering the mouse over it reveals its real destination, which leads to a compromised WordPress server. A total of four domains have been used for hosting the malicious file, security researchers at Cisco observed.

To quash suspicions of malicious activity, the hackers added real Microsoft Volume Licensing Service Center pages at the compromised locations, serving them to the potential victim together with the malicious download.

Martin Nystrom, senior manager at Cisco’s Threat Defense, points out in a blog post published on Monday that the origin of the download gives away the scam, but most users would not notice this since the most visible elements appear to be legitimate.

The cybercriminals not only have honed social engineering skills but they also appear to be good at coding malware. Antivirus detection at the time of the analysis was low, Nystrom saying that only nine of 57 products were able to identify it as a threat.

Zscaler researchers named it Chanitor, and it has been seen in January to deliver the Vawtrak banking Trojan, but it can also be employed to funnel in other types of malware, too.

When trying to analyze the threat in an isolated environment, security researchers hit a brick wall as the malicious file would exit a short while after being launched.

A total of four sandboxes were used and in all cases Chanitor would terminate its activity as a result of detecting analysis attempts. “The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything,” Nystrom says.

Real machine shows the complexity of Chanitor

Given these circumstances, the investigation was carried out on a live machine. It seems that, apart from identifying virtual environments, the malware author included other evasion tactics as well.

One of them consists in Chanitor sitting still for a 30-minute period to then start the unpacking and decoding process. Once this finishes, a process called “winlogin.exe” is run, which enters into sleep mode for a large number of times, so that it can escape automatic sandbox analysis of a security product before establishing communication with the command and control (C&C) servers.

The number of tricks Chanitor has in the bag is not over yet, as the malware resorts to copying itself under a different file name only to return to its original name; according to security researchers, this tactic can cause some sandbox systems to fail.

Given the level of complexity Chanitor has proven, it comes as no surprise that the C&C servers are located in TOR anonymity network. Proxy service Tor2Web is used to connect to Tor directly from a standard web browser, without having to connect to the network.

The conclusion of the researchers after analyzing Chanitor is quite simple, and it resumes to the fact that cybercriminals have shifted focus to where the big money is; they rely on more sophisticated tools capable of delaying complete analysis.

Social engineering skills (2 Images)

A real page of Microsoft is served from a compromised website
Phishing sample used by the hackers
Open gallery