An interactive malware sandbox within your security system | Techno Glob

According to Check Point Research, the number of sophisticated cyber attacks increased by 32% in the second quarter of 2022 compared to the same period in 2021.

Cyber-criminals launch complex attacks using various techniques and entry points to gain access to a victim’s system. Conventional antiviruses are usually unable to deal with such threats.

We’ll discuss how companies can solve this problem using interactive services as an example of the ANY.RUN online malware sandbox.

The role of the malware sandbox in security

To identify an infected program, it must be downloaded and activated. This can be done in a virtual machine on a working PC, but you need experience to set it up. If you do it incorrectly, the risk can extend beyond the test environment. For example, polymorphic Trojans spread to other machines through internal networks.

Sandboxes solve this problem. It’s a virtual environment where you can upload suspicious files to safely activate malware, analyze its behavior, and collect artifacts and indicators of compromise (IOCs). This data can be used to create protection.

Malware sandboxes can be of two types: automatic and interactive. Automated sandboxes analyze autonomously. After uploading the samples and starting the analysis, we have no control over the simulation process. The sandbox malware tries to activate itself and reports back to us after some time.

The problem with this approach is that some patterns explode on specific user actions or system settings. This is where the interactive type comes in, allowing experts to work directly with the system and simulate user actions.

Advantages of an interactive malware sandbox

Automated and interactive sandboxes are not interchangeable tools. In the entire security system, everyone has their own role. For example, an analyzer checks and identifies multiple files in an automated sandbox and analyzes them in an interactive service to quickly find hidden IOCs.

Interactive malware sandboxes are a good solution when you need to detect malware without waiting for a report or when working with complex patterns.

Benefits include:

  • Ability to influence the analysis process. Specialists can interact with the virtual environment like a PC: reset the system, click on files, open in Word and do everything as a victim of a real cyber attack.
  • Flexible customization. Easily change system language, currency or region. Some locale settings activate some malware types and you may have to go through several settings combinations to detect them. It helps to detonate complex patterns past automated sandboxes.
  • Immediate access to IOCs. The VM launches immediately and the analyst sees the processes generated by the malware after the research begins. This allows conclusions to be drawn before the analysis is complete. Automated sandboxes show results only after simulation, and typically, this process takes a few minutes.

Use cases with an interactive malware sandbox

Let’s examine some examples of real-world tasks in the ANY.RUN online malware sandbox.

In the event of an attack, every second counts. In the task, we analyze the infected file with Agent Tesla. This is a Trojan that steals credentials.

In this situation, we understand that there is an infection, but we don’t know which malicious software has infiltrated the system. Since the VM runs instantly, malware analysts can identify Agent Tesla in just 10 seconds using ANY.RUN. Along with this, cyber security experts protect the system before sensitive data is leaked.

Some malware only start executing malicious code after a system reboot. This is how they hide from automated sandboxes. In ANY.RUN, an expert can download a file with such a program, restart the OS, and then collect the IOC. This entire process takes only a few minutes.

There are malicious programs that target specific regions. They can check what OS language is set on the computer or what keyboard layout is used before executing it. In order to detect such complex malware, these settings must be able to be easily changed.

We encountered a suspicious file in the task, but initial analysis did not reveal any malicious activity. Using an automated sandbox, this file will pass inspection. However, after changing the locale, the malware was activated and the analyst identified it as Raccoon Stealer, which steals confidential information.

Cyber ​​attacks are common but not inevitable. These risks could have been prevented with appropriate measures and technology. Using advanced tools such as interactive malware sandboxes can help analyze, detect and prevent even the most evasive and dangerous attacks.

Use promo code to run ALL files and links in ANY.RUN online malware sandbox and expose advanced threats:
Write promo code “Infosec” to using your business email address and get free 14-day ANY.RUN premium subscription.

Source link