Recorded Future Sandbox has a 3 level approach for the anti-VM countermeasures:
- The hypervisor - We use KVM/QEMU modified to cope better with known anti-VM techniques around detecting CPU virtualization and others.
- The VM images - We have our own custom framework for building the VMs which is specifically designed for malware analysis. It means that any tell-tale bits of data like registry keys or device names are cleaned up and replaced with values taken from an actual physical machine running the OS in question, so we can be sure they're realistic. We also do things like populating the 'recent files' database and generating fake documents to fill out folders etc. to address some of the less technical VM detection methods.
- The kernel agent - Our kernel agent obviously runs malware samples and logs the events we use for analysis, but it also helps a lot with any remaining anti-VM techniques we can't handle at the other 2 stages. Basically it acts like a rootkit with the ability to intercept any API calls and change the contents and/or timing of the responses to look realistic. For example, If there is a timing method where a specific API responds slightly faster on a virtualized machine than on a real one, our agent delays the response to make sure it's not useful for detection.
The sandbox has been built to pass all commonly used anti-VM/anti-sandbox checks using one or more of the approaches described above. Anti-VM detection is a constantly evolving landscape however and we frequently release additional fixes as new techniques appear.
Please find bellow some specific details on how certain techniques are addressed:
- Time-Based Triggers - Delayed Execution, Delayed Command and Control (C2) Communication, Thread Stalling: Sandbox detects commonly used methods to implement execution delays and can often trigger these early to force a malware sample to run. We rely on static analysis to complement behavioural, to detect when these techniques are used and to report on intended (not actual) malware behaviour.
- Time-Based Triggers - Time Bombs: Sandbox's coverage for this depends on the implementation of the technique. Sometimes the use of this technique can be detected. If a sample is of a malware family we support we will be able to detect or extract regardless of the conditions malware authors set to run.
- Code Obfuscation and Unpacking - Layered Obfuscation, On-Demand Decryption: We support many types of (layered) encryption, packing & obfuscation methods, etc. During behavioural analysis Sandbox will use the VM's memory to try to extract relevant information about a sample to produce detections or extract malware configs. For malware to run and perform its behaviour, it will always have to store some plain, unencrypted information in memory at some point. We often use that plain information to extract/decrypt other parts of a sample etc.