Seculert is reporting on a simple technique that defeats sandbox protection.
Seculert has identified Sazoora.B, a new version of the Sazoora.A Trojan. Among other things, what makes Sazoora.B new is that it waits 15 minutes before becoming active. The significance of this simple idea is that during this dormant phase the Trojan is undetectable. TechTarget SearchSecurity elaborates on this delay feature:
Many times, systems will delay delivering an email or connecting to a webpage until a file has successfully passed the sandbox. By delaying execution by, say, 15 minutes, the target’s malware analysis potentially could time out and the malware could pass onto the local system. The reason for this might be a configurable option that drops emails or connections if something hasn’t executed in a specific time period. This doesn’t depend on a local or remote sandbox; rather, it depends on how extensive the analysis is and the security policy the organization has configured in the system about how long to wait until passing a file to an endpoint.
Once the next generation firewall has been evaded, the attack email is delivered to the endpoint. At the endpoint resides the APT attacker’s unsuspecting accomplice — the user. At this point, the user is confronted with:
- a technically valid email which has evaded all email filtering,
- an exploit which has evaded all detection processes,
- a deceptive message with an enticing call to action which will execute the exploit.
The email has been socially engineered so that it is not suspicious. The unsuspecting user is highly likely to “take the bait” and launch the exploit. Fortunately, at this critical phase of the attack, SP Guard can warn the user that the email is not what it appears to be.
In this example, absent the warning from SP Guard, the user would have no reason to suspect that the user survey request was actually an attack. This demonstrates the methodology of social engineering — create a message that rings true and important to the human victim. With SP Guard, instead of being compromised, the user can send the suspicious email to IT for expert analysis and prompt defensive action.