Malware Authors Develop New Method to Evade Analysis by Any.Run Sandbox

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service.

What is Any.Run?

  • Any.Run is a malware analysis sandbox service that allows researchers to analyze malware safely, without risking their systems.
  • When an executable is fed to Any.Run, the service creates a Windows virtual machine with an interactive remote desktop and the file is executed.
  • This assists researchers in observing the behavior executed by the malware.

What’s going on?

  • A new password-stealing trojan campaign has been spotted wherein malicious PowerShell scripts are employed to install malware onto targeted computers. 
  • After the execution of the above-said script, two scripts will be downloaded containing the obfuscated code of the malcious payload.
  • On running the second script, the AZORult password-stealing trojan is attempted to be launched. 
  • In case it detects that the malware is being run on Any.Run, it stops the execution of the malware. Thus, it renders the sandbox incapable of analyzing the malware.

Conclusion

The bottom line is that malicious actors are expected to keep targeting sandbox platforms since it is a novel way of evading detection.