How Malware is Evolving: Sandbox Evasion and Brand Impersonation 

Attackers are constantly seeking new methods to evade detection by antivirus, endpoint detection and response (EDR) tools, and sandbox environments. Malware creators are now using a combination of brand impersonation and sandbox evasion techniques to bypass security measures and execute their malicious payloads. 

As part of this ongoing evolution, well-known brands like Amazon, Costco, Target, LinkedIn, and even cultural icons like Star Wars are being leveraged to reduce the bad reputation of malware, making it harder for security systems to flag these files. 

MITRE ATT&CK: Virtualization and Sandbox Evasion 

One of the key techniques employed by modern malware is sandbox evasion. Malware creators are designing their code to detect whether it is running inside a virtualized or sandbox environment, which is commonly used by cybersecurity teams for threat analysis. 

According to the MITRE ATT&CK framework, malware can check for signs of a sandbox by monitoring system behavior, including checking for user actions like mouse clicks or running time-based checks. Once the malware detects it is inside a sandbox, it can change its behavior, often terminating its execution or connecting to benign domains to avoid raising suspicion. 

Relevant ATT&CK techniques include: 

• Virtualization/Sandbox Evasion (T1497) [https://attack.mitre.org/techniques/T1497/] 

• Virtualization/Sandbox Evasion (T1633) [https://attack.mitre.org/techniques/T1633/] [ATT&CK techniques were defined after this MBC behavior.] 

Recent Malware Campaigns Using Brand Impersonation 

In the past two weeks, Veriti’s research team has detected several notable malware campaigns leveraging well-known brands to bypass detection and deliver malicious payloads. Below are some of the key examples: 

• StealC using Amazon, Costco, Target, LinkedIn [VirusTotal link] 

• SnakeKeyLogger using Amazon, Costco, Target, CNN, Star Wars [VirusTotal link] 

• LummaC using Booking.com, CNN, Target, Amazon, Star Wars [VirusTotal link] 

• Agent Tesla using Amazon, Costco, Target, LinkedIn, Office [VirusTotal link] 

• PhemedroneStealer using Star Wars, Target [VirusTotal link] 

• Stealerium using Amazon, Costco, CNN [VirusTotal link] 

In each of these cases, attackers are leveraging the names of reputable brands to reduce the chances of their malware being detected by security systems. This tactic not only makes it harder for automated systems to flag the malware but also lures users into a false sense of security when they see recognizable brands. 

Common Mistakes by Malware Creators 

While these malware campaigns are sophisticated, they are not without flaws. In several instances, Veriti’s research team identified errors in the way these malware samples connected to well-known URLs. For example: 

• Amazon: More than 1.5K malware samples have been found connecting to incorrect URLs like “https://www.amazon.com/Amazon.com.” 

• Star Wars: Over 700 malware samples connected to “http://www.starwars.com/StarWars.com.” 

• Target: More than 1K malware samples connected to “https://www.target.com/Target.” 

• LinkedIn: Over 1.3K malware samples connected to URLs like “https://www.linkedin.com/exe” and “http://linkedin.com/LinkedIn.” 

These incorrect URLs serve as an important indicator of malicious intent, as legitimate applications would not use these malformed addresses. However, these mistakes also highlight how attackers are constantly evolving and learning from their errors. 

Why Malware Uses Brand Impersonation 

The primary reason malware creators use brand impersonation is to make their payloads appear legitimate to both users and security systems. By associating the malware with trusted brands, the attackers aim to avoid detection and successfully deliver their malicious payloads. This tactic can also deceive users into interacting with the malware, thinking that it is related to a trusted service they use frequently, like Amazon or LinkedIn. 

Recommendations for Protecting Your Organization 

Validate your sandbox configuration:

Ensure that your sandbox is equipped with both static and behavioral analysis capabilities to detect malware attempting to evade detection. This can help flag suspicious behavior like connecting to known malformed URLs or performing time-based checks to detect sandbox environments. 

Monitor specific URLs, not just domains:

While it’s important to monitor domains, the real danger often lies in the specific URLs that malware connects to. Enforcing monitoring of specific URLs like the examples above (e.g., “https://www.amazon.com/Amazon.com“) can provide early warning signs of potential malware activity. 

Run EDR with static and behavioral analysis:

Integrating endpoint detection and response (EDR) solutions that combine both static and behavioral analysis can help detect connections to these malicious URLs, even when the domain itself may seem benign. 

By using well-known brands like Amazon, Costco, and Target, these malware campaigns are trying to blend in with legitimate traffic to avoid raising suspicion. As the use of brand impersonation in malware continues to grow, it’s critical for organizations to stay vigilant, continually update their security measures, and enforce detailed URL monitoring to catch these sophisticated threats early. 

Veriti’s research has shown that even the most trusted names can be leveraged by cybercriminals to compromise security. Stay alert, ensure your security tools are configured properly, and always be on the lookout for suspicious connections to well-known brands.