Sandboxing is a popular cybersecurity practice that provides a safe environment to observe and analyze if a sample is malicious. However, malware loaders are lately leveraging a lesser-known and unique tactic to bypass sandbox environments and execute malicious payloads onto the systems.
What's the matter?
Researchers at Unit 42 Palo Alto Networks have found that malware authors behind Zloader and BazarLoader are using unique implementations of API Hammering as a form of extended sleep to evade detection in sandbox environments.
According to researchers, the tactic is more effective than the ‘Ping Sleep’ technique where the malware constantly sends ICMP network packets to an IP address in a loop.
What is API Hammering?
API Hammering involves the use of a massive number of unwanted calls to Windows API function calls.
The execution of these calls delays the execution of the real malicious routines of the malware, thus, allowing the malware to indirectly sleep during the sandbox analysis process.
Although not used in the wild, the lesser-known tactic was part of a TrickBot campaign launched in 2020.
Palo Alto researchers have uncovered a new version of BazarLoader that uses a new and more complex implementation of API Hammering. The previous versions of the malware used a fixed number of ‘printf’ function calls to time out malware analysis.
The new version generates a random loop count that repeatedly accesses a list of random registry keys in Windows. This varies with
different Windows versions.
In the case of ZLoader, the malware loader uses 4 API functions — GetFileAttributesW, ReadFile, CreateFileW, and WriteFile — to carry out API Hammering.
With several tricks in their bags, cybercriminals continue to tap into various malware evasion techniques, such as API Hammering, to fly under the radar while carrying out their infection process. This can enable the final payloads to conduct their malicious activities for a longer period of time. Therefore, organizations must prioritize network and endpoint security to nip threats in the bud.