Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts.
Every time malware is uploaded to the platform, the service will create a Windows virtual machine with an interactive remote desktop, and execute the file within this environment.
Any.Run allows analysts to determine the malware behavior by recording any associated activity on files, registries, and network connections.
According to Bleeping Computer, a new malware campaign first spotted by the malware researcher JAMESWT employed a technique to detect the execution in an Any.Run VM.
JAMESWT uncovered a malware campaign using malicious PowerShell scripts that are used to download and installing malware onto the victims’ computers.
The threat actors behind the campaign execute a script to download two PowerShell scripts that contain obfuscated and embedded malware.
The script will decode the embedded malware and execute it on the target computer.
The second script is then executed and attempt to launch a version of the Azorult password-stealing Trojan, but if detects that the program is running on Any.Run it will display the message ‘Any.run Detected!’ and halt the execution.
This will cause the malware to not be executed so that the sandbox cannot analyze it.
“When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan. If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.” states BleepingComputer.
In this way, threat actors attempt to prevent that their malware is analyzed by the popular sandbox service.
Experts noticed that the Trojan is normally executed with installed on a live system or withing any other virtual machine.
(SecurityAffairs – hacking, Any.Run)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.