HomeMalwareBreaking News

Malware campaign attempts to evade analysis with Any.Run sandbox

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service. Vxers are impleme

Hackers stole €1.2m worth of cryptocurrency from 2gether
Ritz hotel diners were victims of a sophisticated scam
Microsoft is open-sourcing COVID-19 threat intelligence

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service.

Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts.

Every time malware is uploaded to the platform, the service will create a Windows virtual machine with an interactive remote desktop, and execute the file within this environment.

Any.Run allows analysts to determine the malware behavior by recording any associated activity on files, registries, and network connections.

According to Bleeping Computer, a new malware campaign first spotted by the malware researcher JAMESWT employed a technique to detect the execution in an Any.Run VM.

JAMESWT uncovered a malware campaign using malicious PowerShell scripts that are used to download and installing malware onto the victims’ computers.

The threat actors behind the campaign execute a script to download two PowerShell scripts that contain obfuscated and embedded malware.

The script will decode the embedded malware and execute it on the target computer.

The second script is then executed and attempt to launch a version of the Azorult password-stealing Trojan, but if detects that the program is running on Any.Run it will display the message ‘Any.run Detected!’ and halt the execution. 

This will cause the malware to not be executed so that the sandbox cannot analyze it.

“When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan. If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.” states BleepingComputer.

In this way, threat actors attempt to prevent that their malware is analyzed by the popular sandbox service.

Experts noticed that the Trojan is normally executed with installed on a live system or withing any other virtual machine.

Pierluigi Paganini

(SecurityAffairs – hacking, Any.Run)

Share this…

Facebook

Twitter

Linkedin

Reddit

Pinterest




COMMENTS

WORDPRESS: 0
Close Bitnami banner
Bitnami