{"id":301413,"date":"2022-03-16T21:17:18","date_gmt":"2022-03-16T21:17:18","guid":{"rendered":"https:\/\/www.smartdatacollective.com\/?p=301413"},"modified":"2022-04-03T17:20:16","modified_gmt":"2022-04-03T17:20:16","slug":"hackers-use-ai-to-create-terrifying-malware-targeting-sandboxes","status":"publish","type":"post","link":"https:\/\/www.smartdatacollective.com\/hackers-use-ai-to-create-terrifying-malware-targeting-sandboxes\/","title":{"rendered":"Hackers Use AI to Create Terrifying Malware Targeting Sandboxes"},"content":{"rendered":"\n

AI technology has made hackers more formidable than ever, as they develop more dangerous malware. Detecting such malware is especially tricky, that\u2019s why more agile SOC teams set up a continuous renewal process of threat detection rules by implementing solutions like SOC Prime\u2019s<\/a> Detection as Code platform where they can find the most accurate and up-to-date content. For example, there are cross-vendor detection rules for DevilsTongue malware which can typically execute kernel code without being captured by sandboxes.<\/p>\n\n\n\n

Did you know that 42% of businesses were affected by cyberattacks in 2020<\/a>? That figure is going to rise as cybercriminals use AI to attack businesses more efficiently. <\/p>\n\n\n\n

Artificial intelligence technology has led to some tremendous advances that have changed the state of cybersecurity. Cybersecurity professionals are leveraging AI technology to fight hackers<\/a>. AI-driven solutions include smart firewalls for intrusion detection and prevention, new malware prevention tools and risk scoring algorithms to identify possible phishing attacks. <\/p>\n\n\n\n

Unfortunately, cybersecurity professionals aren’t the only ones with access to AI technology. Hackers and malware creators are also using artificial intelligence<\/a> in much more horrifying ways. <\/p>\n\n\n\n

Hackers have developed malware with sophisticated AI algorithms to take control of sandboxes. This is the newest threat in the realm of cybersecurity technology.<\/p>\n\n\n\n

AI Powered Malware is the Biggest Threat to Sandboxes in 2022<\/h2>\n\n\n\n

Sandboxes have been widely used in software development workflows to run tests in a presumably safe environment. Today, they are also likely to be embedded in most cybersecurity solutions, such as endpoint detection & response (EDR), intrusion prevention systems (IPS), as well as standalone solutions<\/a>.<\/p>\n\n\n\n

However, sandboxes<\/a> are also common entry points for cyber attackers. Over the years of the sandboxes\u2019 functioning, adversaries have discovered AI algorithms to inject malware that can remain undetected in sandbox environments and even execute privilege escalation to higher levels of the infected networks.<\/p>\n\n\n\n

What\u2019s even more alarming is that sandbox-evading techniques keep evolving with advances in machine learning, posing a growing threat to organizations on a global scale. Let\u2019s review the most widely used sandbox-evading malware as of the beginning of 2022.<\/p>\n\n\n\n

<\/a>Recognizing Humans<\/h2>\n\n\n\n

Typically, sandboxes are being used occasionally. For example, when there is a need to test untrusted software. So, attackers have used machine learning to develop new strains of malware that are able to track user interactions and only activate when no signs of the latter are visible.<\/p>\n\n\n\n

Of course, there are ways to emulate users\u2019 actions with AI, such as intelligent responses to dialog boxes and mouse clicks. File-based sandboxes run automatically without the need for human engineers to do anything, but it\u2019s difficult to fake the meaningful actions that the real user would perform. Most recent sandbox-evading malware can distinguish real user interaction from the fake one and what\u2019s more, even trigger after a certain real-user behavior was observed.<\/p>\n\n\n\n

For instance, Trojan.APT.BaneChant is programmed to wait while the mouse clicks are abnormally fast. However, it activates after they track a certain amount of slower clicks, for example, three left-mouse clicks at a moderate pace, which are more likely to belong to a real user. Scrolling is also considered human by some malware. It can be activated after a user has scrolled a document to the second page.<\/p>\n\n\n\n

<\/a>Knowing Where They Are<\/h2>\n\n\n\n

Scanning for details like device IDs and MAC addresses, the malware can indicate virtualization with sophisticated AI algorithms and then run them against a blocklist of known virtualization vendors. After that, the malware would check the number of available CPU cores, amount of installed memory, and the hard drive size. Inside VMs, those values are lower than in physical systems. As a result, it\u2019s possible for the malware to stay inactive and hide before the sandbox owners run a dynamic analysis. Although some sandbox vendors are able to hide their system specifications so that the malware can\u2019t scan them.<\/p>\n\n\n\n

Speaking of sandbox analysis tools, some malware types like CHOPSTICK can recognize whether or not they are in a sandbox by scanning for an analysis environment. Such an environment is considered too risky for attackers, so most viruses don\u2019t activate if they recognize it. Another way for them to infiltrate is to send a smaller payload and thereby test the victim\u2019s system before executing the full-fledged attack.<\/p>\n\n\n\n

As you might already guess, malware can potentially scan for all sorts of system features with AI tools that are trained to recognize the underlying digital infrastructure. For example, they can seek digital signature systems to find out information about computer configuration or scan for active processes in the operating system to see if there\u2019s any antivirus running.<\/p>\n\n\n\n

If the malware is programmed to detect system reboots, it will activate only after this event took place. Reboot triggers can also distinguish a real reboot from an emulated one so VMs typically can\u2019t trick such bots into exposing themselves upon a fake reboot.<\/p>\n\n\n\n

<\/a>Planning Perfect Timing<\/h2>\n\n\n\n

AI has also made malware more dangerous by perfecting the timing of attacks. Timing-based techniques are among the most common in sandbox evasion. Sandboxes usually don\u2019t work around the clock so there is some limited time during which they scan for threats. Attackers abuse this feature to seed malware that lies dormant when the sandbox is active and executes an attack when it\u2019s turned off. For example, malware like FatDuke can run the delaying algorithm that exploits free CPU cycles and waits until the sandbox goes off. Then, it activates the actual payload.<\/p>\n\n\n\n

The less sophisticated malware examples will only have preset timing requirements until the code detonates. For example, GoldenSpy activates after two hours of being inside the system. Similarly, the \u201clogic bomb\u201d technique implies that the malicious code executes at a certain date and time. Logic bombs typically activate only on end users\u2019 devices. For that, they have in-built scanners for system reboots and human interaction.<\/p>\n\n\n\n

<\/a>Hiding the Trace<\/h2>\n\n\n\n

Once the malware infects the target system, it wants to hide the evidence of its presence. A variety of techniques has been observed that help adversaries to make that happen. AI has made it easier for malware to modify its own code to fall under the radar of malware protection software and manual threat screening. <\/p>\n\n\n\n

One of the primary targets of cybercriminals is to encrypt the communication with their Command & Control (C&C) servers so they can install further payloads through little backdoors. For that, they can frequently change attack artifacts like site IPs with domain generation algorithms (DGA). Some examples include Dridex, Pykspa, and Angler exploit kit. Another example is Smoke Loader malware that changed roughly 100 IP addresses in less than two weeks. In this case, there is no need for hard-coded domain names since they easily get detected. Any access to a victim\u2019s system counts, even if it\u2019s a sandbox.<\/p>\n\n\n\n

Most DGAs come at increased maintenance costs so not all attackers can afford them. That\u2019s why they developed other methods that don\u2019t require the DGA. For example, DNSChanger malware alters the settings of a user\u2019s DNS server to make it connect to a rogue DNS instead of the one pre-programmed by an Internet service provider.<\/p>\n\n\n\n

Another way for malware to stay undetected in a sandbox is to encrypt data in formats that are unreadable in this particular environment. Some Trojans like Dridex use encrypted API calls. Andromeda botnet and Ebowla framework encrypt data with several keys to avoid communication with the server. Gauss cyber-espionage toolkit uses the specific path-and-folder combination to generate an embedded hash and bypass detection.<\/p>\n\n\n\n

Hackers Will Keep Using AI to Create More Devastating Malware to Attack Sandboxes<\/h3>\n\n\n\n

AI technology has been a terrifying tool in the hands of savvy hackers. They are using it to take control of sandboxes in various applications. <\/p>\n\n\n\n

For a long time, sandboxes seemed like a good idea: what can be better than having an isolated environment where you can safely test the untrusted software? However, it turns out that they are not as isolated as developers want them to be. Hackers using AI can create more horrific attacks against it. The presence of an interruption in processes, specific markers of virtual environments, and other typical features open a window of opportunity for attackers to base their malware algorithms on the sandboxes\u2019 blind spots.<\/p>\n\n\n\n

SOC engineers need to make sure that not only their key assets are regularly scanned for malware but also the sandboxes that are used in their organization, especially in times when they are inactive. To successfully maintain security posture and minimize the chances of intrusion, security teams should continuously enrich the detection base with new rules and update the existing stack to be able to identify the constantly mutating malware. Organizations tend to search for solutions that can save up to hundreds of hours per month on content research and development from scratch, as well as look for ways to optimize content creation. This can be achieved by choosing generic languages that make it fast to develop, modify, and translate rules, like Sigma. Moreover, leveraging free online translation tools can help teams save sufficient time by instantly converting the latest Sigma detections into a variety of SIEM, EDR, and XDR formats.<\/p>\n","protected":false},"excerpt":{"rendered":"

AI technology has made hackers more formidable than ever, as they develop more dangerous malware. Detecting such malware is especially tricky, that\u2019s why more agile SOC teams set up a continuous renewal process of threat detection rules by implementing solutions like SOC Prime\u2019s Detection as Code platform where they can find the most accurate and […]<\/p>\n","protected":false},"author":811,"featured_media":300310,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"13","_seopress_titles_title":"Hackers Use AI to Create Terrifying Malware Targeting Sandboxes","_seopress_titles_desc":"AI technology has made it easier for hackers to create destructive software that can target sandboxes in software more easily.","_seopress_robots_index":"","footnotes":""},"categories":[1939,9,49,13],"tags":[2747,4280,3735],"class_list":{"0":"post-301413","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-artificial-intelligence","8":"category-smartdata-collective-exclusive","9":"category-it","10":"category-security","11":"tag-ai-and-cybersecurity","12":"tag-ai-hackers","13":"tag-data-savvy-hackers"},"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/301413","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/users\/811"}],"replies":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/comments?post=301413"}],"version-history":[{"count":5,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/301413\/revisions"}],"predecessor-version":[{"id":301668,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/posts\/301413\/revisions\/301668"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/media\/300310"}],"wp:attachment":[{"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/media?parent=301413"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/categories?post=301413"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.smartdatacollective.com\/wp-json\/wp\/v2\/tags?post=301413"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}