Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts.
Every time malware is uploaded to the platform, the service will create a Windows virtual machine with an interactive remote desktop, and execute the file within this environment.
Any.Run allows analysts to determine the malware behavior by recording any associated activity on files, registries, and network connections.
According to Bleeping Computer, a new malware campaign first spotted by the malware researcher JAMESWT employed a technique to detect the execution in an Any.Run VM.
JAMESWT uncovered a malware campaign using malicious PowerShell scripts that are used to download and installing malware onto the victims’ computers.
The threat actors behind the campaign execute a script to download two PowerShell scripts that contain obfuscated and embedded malware.
The script will decode the embedded malware and execute it on the target computer.
The second script is then executed and attempt to launch a version of the Azorult password-stealing Trojan, but if detects that the program is running on Any.Run it will display the message ‘Any.run Detected!’ and halt the execution.
This will cause the malware to not be executed so that the sandbox cannot analyze it.
“When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan. If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.” states BleepingComputer.
In this way, threat actors attempt to prevent that their malware is analyzed by the popular sandbox service.
Experts noticed that the Trojan is normally executed with installed on a live system or withing any other virtual machine.
(SecurityAffairs – hacking, Any.Run)