Malware sandboxes play a crucial role in cybersecurity by providing a controlled environment for safely analyzing suspicious files and URLs. Let’s take a closer look at specific applications of sandboxes for both Windows and Linux systems to see how versatile they can be in detecting and providing a better understanding of malware and phishing threats.
Windows and Linux Malware on the Rise
From classic trojans and ransomware to vast botnet networks, hidden rootkits, and resource-draining cryptojacking, the world of Windows and Linux malware is diverse and complex. This trend shows no signs of slowing, with IBM reporting a staggering 40% increase in Linux malware just in 2020.
Navigating this ever-evolving landscape requires a robust set of tools that empower security professionals to gain valuable insights into threats quickly and efficiently. This article explores how a malware sandbox can be one such tool, helping them investigate common Windows and Linux malware scenarios and simplify their work.
What is an Interactive Malware Analysis Sandbox?
Interactive malware sandboxes are analyst-driven environments where suspicious code can be dissected, manipulated, and observed within a controlled virtual machine.
Unlike automated sandboxes, analysts have deep control, tweaking settings, simulating network conditions, and launching tasks with different configurations to uncover elusive malware behavior.
This hands-on approach allows them to extract valuable Indicators of Compromise (IOCs) that automated analysis might miss.
ANY.RUN is one of the examples of an interactive malware analysis sandbox, available since 2016.
Viewing New ZLoader Windows Malware’s Configuration
Zloader launched in ANY.RUN
ZLoader, a notorious banking trojan, recently reemerged with two new versions (2.1.6.0 and 2.1.7.0) following a major takedown in 2022. On top of new evasion tactics, such as junk code and string obfuscation, these versions have encrypted configurations and an updated domain generation algorithm that puts extra layers of complexity for analysts when trying to extract any viable information from the samples at hand.
ZLoader’s config
Yet, thanks to a malware sandbox, the process of decrypting Zloader’s config can be shrinked to mere seconds. Simply running a ZLoader sample in a sandbox allows analysts to extract crucial information like the C2 servers directly from the malware’s configuration.
| Button: Try ANY.RUN for free. Sign up for the interactive malware sandbox using your business email. |
Detecting Linux-targeting Mirai Botnet with Suricata Rules
Mirai botnet executed in ANY.RUN
Mirai is a notable botnet that exploits security weaknesses in various protocols. It leverages lists of common default credentials to scan and infect vulnerable devices.
In this example, the sandbox exposes Mirai’s botnet activity.
Suricata rule used for detecting Mirai
Since this activity is network-based, we can investigate which Suricata rules were triggered and view them in the Rules tab.
Analyzing Windows-based Malware Remcos’ Execution Chain
Remcos is another remote access trojan used to gain unauthorized access and control over infected computers. Recently, it has been distributed by attackers as part of steganography campaigns, exploiting images for malware distribution.
Remcos analyzed in ANY.RUN
When analyzing one such sample in a sandbox, we can see how the Remcos infection chain starts from a simple .xls document that, once opened, triggers the deployment of Dbatloader, which eventually drops Remcos on the system.
Remcos registry changes
The sandbox also provides an in-depth look into each process launched during the execution, including the registry changes related to it.
Remcos IOCs
The sandbox also displays a window with indicators of compromise (IOCs) that analysts can collect and use.
Exposing a Linux Miner
Miners are malicious programs whose goal is to leverage the infected system’s resources for cryptocurrency mining and potentially other harmful activities.
CPU and RAM load indicators in ANY.RUN
By uploading a miner sample to a sandbox, its malicious nature becomes evident.
CPU usage spikes almost immediately upon launch, indicating intensive processing activity, while the program also demands significant RAM, further suggesting resource-intensive operations.
Linux miner’s connections
The miner generated nearly 300,000 DNS requests to various domain names in under 4 minutes, implying extensive network communication.
These observations, gathered within the controlled environment of the malware sandbox, paint a clear picture of the miner’s malicious intent.
Viewing a Suricata Rule for Gh0st RAT Windows Malware
Suricata rule used for Gh0st RAT detection
The widely used remote access trojan, Gh0st RAT, has been employed by attackers in multiple attacks against organizations around the world. Given the malware’s primary distribution channel of phishing emails, ensuring proper measures against accidental opening of attachments is crucial.
By analyzing suspicious files in a sandbox, analysts can instantly spot malware such as Gh0st RAT and gain access to crucial information on it. For instance, a sandbox can display the Suricata rules triggered during the Gh0st RAT sample execution, letting users copy and then apply these to their own security infrastructure for enhanced protection, for instance, by updating their firewall/IDS system.
On top of that, a sandbox offers an opportunity for forensic analysis of captured packets to investigate malware activity.
Try ANY.RUN for free
ANY.RUN is an interactive malware analysis sandbox that offers extensive capabilities for analyzing malware and phishing threats. Users, even those on a free plan, can enjoy unlimited uploads and closely study any malicious activity, as well as gather important threat information.
GIve ANY.RUN a try. Sign up for the service using your business email.
