JANUARY 12, 2020

Malware Evasion Techniques Part 4: Living Off The Land

As demonstrated in our previous blog on anti-sandboxing, malware developers use whatever they can to remain stealthy and avoid being analyzed. To do t

As demonstrated in our previous blog on anti-sandboxing, malware developers use whatever they can to remain stealthy and avoid being analyzed. To do this, one method is to use built-in Microsoft Windows capabilities and trusted tools. Living Off The Land (LOTL) techniques allow malware to blend in using existing resources in order to evade detection by AV or Sandbox analysis.

The use of built-in features in the target environments to evade detection and analysis is common, and many malware has been spotted using LOTL techniques in the wild. For example, GravityRAT and OopsIE which use WMI requests to detect virtual environments. Also, malware such as the Emotet trojan, Carbon Backdoor and Shamoon used scheduled tasks in their campaigns to persist and evade detection.

In the following post, we will review and demonstrate some of the more common techniques in the field of LOTL, used to detect a virtual environment or dodge AV products.

 

WMI checks

Windows Management Instrumentation (WMI) is an infrastructure on Windows-based operating systems that store environment management information. WMI supplies management data to parts of the operating systems, administrative tasks scripts and other products, and can also be queried using PowerShell and SQL.

Malware that relies on LOTL techniques for evasion can use WMI queries to detect virtual environments and to evade anti-malware software and analysis tools. For example, simply querying the WMI namespace root\SecurityCenter2 will present information from the Windows security center, in classes like “AntiVirusProduct”, “AntiSpywareProduct”, and “FirewallProduct” which store information regarding the security solution installed.

Under the namespace root\cimv2, the classes such as “Win32_DiskDrive” “Win32_VideoController” and “Win32_BIOS” classes can contain specific strings for virtual environments, security products and monitoring tools like Wireshark.

Optional WMI evasion checks using SQL queries:

root\cimv2 classes:

SELECT * from class and search matches for: “Virtual Machine”, “VirtualBox”, “VMware” or “Hyper-V”:

“Win32_ComputerSystem”

“Win32_BaseBoard”

“Win32_DiskDrive”

Win32_PointingDevice

“Win32_VideoController”

“Win32_BIOS”

Additional queries:

Higher chance for false-positive results due to hardware or firmware compatibility issues.

Root\WMI classes:

SELECT * FROM MSAcpi_ThermalZoneTemperature (Virtual environments return error)

root\cimv2 classes:

SELECT * from Win32_Fan (Virtual environments return 0)

 

Task Scheduler

Windows Task Scheduler is a built-in Windows component used to run scripts and executables at tie intervals and at specifically defined times. Malware uses it for persistence, commonly to schedule a task either at system startup or on a regular basis.

Even though malware analysis systems and sandboxes may identify the capability to schedule tasks, in many cases this delayed execution will be used to evade analysis in a sandbox environment.

Sysinternals Suite

Sysinternals are a set of monitoring and diagnostics tools for Windows, created for IT administrators. Malware that employs LOTL techniques relies on the Sysinternals suite’s features such as restoring passwords, recovering data, file execution on remote systems, etc. to persist and evade sandboxes and Anti-malware products.

One of the most common utilities in the Sysinternals Suite is PSExec. PSExec allows running executables and commands on remote machines through SMB (Server Message Block) protocol, though it has a set of requirements such as credentials, admin privileges and having the SMB protocol allowed. PSExec, as well as modified versions of it, are commonly used by attackers to evade AV detection in the infection and lateral movement.

ListDLLs is another Sysinternals utility, that lists the DLLs loaded into all processes in memory. ListDLLs can be used to evade virtual environments, compared to DLLs used by virtualization products.

List of known DLLs:

dbghelp.dll (VMware)

sbiedll.dll (Sandboxie)

vmcheck.dll (virtual PC)

pstorec.dll (SunBelt Sandbox)

snxhk.dll (avast sandbox)

snxhk64.dl (avast sandbox)

sxIn.dll (avast sandbox)

 

LOTL techniques are one of the best examples of how malware developers utilize whatever they can to achieve persistence and evasion, as one of the key issues when facing LOTL techniques is the fact that it relies on by design features of the environment. Though it’s recommended to address the basic techniques mentioned above, in your own endpoints and malware analysis environments, it’s important to remember that in the game of LOTL techniques, this is just the tip of the iceberg. Like a classic Whac-A-Mole game, attackers will forever be developing new and challenging techniques that cyber-security researchers will be anticipating and doing their best to overcome.