Description
Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)
Adversaries may use several methods to accomplish Virtualization/Sandbox Evasion such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)
Platforms
Sub-Techniques (3)
Threat Groups (3)
| ID | Group | Context |
|---|---|---|
| G1052 | Contagious Interview | [Contagious Interview](https://attack.mitre.org/groups/G1052) has requested victims to disable Docker and other container environments in attempts to ... |
| G1031 | Saint Bear | [Saint Bear](https://attack.mitre.org/groups/G1031) contains several anti-analysis and anti-virtualization checks.(Citation: Palo Alto Unit 42 OutStee... |
| G0012 | Darkhotel | [Darkhotel](https://attack.mitre.org/groups/G0012) malware has employed just-in-time decryption of strings to evade sandbox detection.(Citation: Lastl... |
Associated Software (22)
| ID | Name | Type | Context |
|---|---|---|---|
| S0380 | StoneDrill | Malware | [StoneDrill](https://attack.mitre.org/software/S0380) has used several anti-emulation techniques to prevent automated analysis by emulators or sandbox... |
| S0483 | IcedID | Malware | [IcedID](https://attack.mitre.org/software/S0483) has manipulated Keitaro Traffic Direction System to filter researcher and sandbox traffic.(Citation:... |
| S0331 | Agent Tesla | Malware | [Agent Tesla](https://attack.mitre.org/software/S0331) has the ability to perform anti-sandboxing and anti-virtualization checks.(Citation: Malwareby... |
| S0268 | Bisonal | Malware | [Bisonal](https://attack.mitre.org/software/S0268) can check to determine if the compromised system is running on VMware.(Citation: Talos Bisonal Mar ... |
| S0484 | Carberp | Malware | [Carberp](https://attack.mitre.org/software/S0484) has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or othe... |
| S1070 | Black Basta | Malware | [Black Basta](https://attack.mitre.org/software/S1070) can make a random number of calls to the `kernel32.beep` function to hinder log analysis.(Citat... |
| S1130 | Raspberry Robin | Malware | [Raspberry Robin](https://attack.mitre.org/software/S1130) contains real and fake second-stage payloads following initial execution, with the real pay... |
| S0534 | Bazar | Malware | [Bazar](https://attack.mitre.org/software/S0534) can attempt to overload sandbox analysis by sending 1550 calls to <code>printf</code>.(Citation: Cybe... |
| S0666 | Gelsemium | Malware | [Gelsemium](https://attack.mitre.org/software/S0666) can use junk code to generate random activity to obscure malware behavior.(Citation: ESET Gelsemi... |
| S0023 | CHOPSTICK | Malware | [CHOPSTICK](https://attack.mitre.org/software/S0023) includes runtime checks to identify an analysis environment and prevent execution on it.(Citatio... |
| S0455 | Metamorfo | Malware | [Metamorfo](https://attack.mitre.org/software/S0455) has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of executi... |
| S1039 | Bumblebee | Malware | [Bumblebee](https://attack.mitre.org/software/S1039) has the ability to perform anti-virtualization checks.(Citation: Proofpoint Bumblebee April 2022) |
| S1207 | XLoader | Malware | [XLoader](https://attack.mitre.org/software/S1207) can utilize decoy command and control domains within the malware configuration to circumvent sandbo... |
| S1183 | StrelaStealer | Malware | [StrelaStealer](https://attack.mitre.org/software/S1183) payloads have used control flow obfuscation techniques such as excessively long code blocks o... |
| S0148 | RTM | Malware | [RTM](https://attack.mitre.org/software/S0148) can detect if it is running within a sandbox or other virtualized analysis environment.(Citation: Unit4... |
| S0554 | Egregor | Malware | [Egregor](https://attack.mitre.org/software/S0554) has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandbo... |
| S0046 | CozyCar | Malware | Some versions of [CozyCar](https://attack.mitre.org/software/S0046) will check to ensure it is not being executed inside a virtual machine or a known ... |
| S1020 | Kevin | Malware | [Kevin](https://attack.mitre.org/software/S1020) can sleep for a time interval between C2 communication attempts.(Citation: Kaspersky Lyceum October 2... |
| S1240 | RedLine Stealer | Malware | [RedLine Stealer](https://attack.mitre.org/software/S1240) has an anti-sandbox technique that requires the malware to consistently check with the C2 s... |
| S0147 | Pteranodon | Malware | [Pteranodon](https://attack.mitre.org/software/S0147) has the ability to use anti-detection functions to identify sandbox environments.(Citation: Unit... |
References
- Falcone, R., Wartell, R.. (2015, July 27). UPS: Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved April 23, 2019.
- Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
Frequently Asked Questions
What is T1497 (Virtualization/Sandbox Evasion)?
T1497 is a MITRE ATT&CK technique named 'Virtualization/Sandbox Evasion'. It belongs to the Stealth, Discovery tactic(s). Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indi...
How can T1497 be detected?
Detection of T1497 (Virtualization/Sandbox Evasion) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1497?
Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.
Which threat groups use T1497?
Known threat groups using T1497 include: Contagious Interview, Saint Bear, Darkhotel.