Limits of Automation
How Interactive Sandboxing Can Benefit Your Organization
By Vlad Ananin, Technical Writer at Any.Run
The current rate and complexity of cyber attacks are making it harder than ever for companies to manage their security. In this context, automation provides significant value, alleviating the burden of manual tasks for professionals and improving security operations.
However, some situations still call for human intervention and monitoring. Many of them concern sandboxing. Here are common scenarios where automated sandboxes give way to interactive ones.
What is Interactive Sandboxing?
Interactive sandboxing is a malware analysis approach that combines the speed and scalability of automation with the depth and nuance of manual analysis. Unlike automated sandboxes, which exclusively rely on predefined scripts and rules to analyze malware, interactive sandboxes enable analysts to manually interact with the malware and manipulate its environment.
Interactive sandbox interface
Thanks to interactivity, analysts can perform a wider range of activities that can benefit their investigations. These involve copying from and pasting to the VM, downloading and running additional files, using a web browser, and even rebooting the system. This approach provides a more comprehensive understanding of the malware’s behavior, functionality, and intent.
Let’s look at the situations where such an approach proves more effective than the automated one.
Scenario 1: Complex Evasion Techniques
Some malware exhibits behavior that automated sandboxes may struggle to analyze. Such behavior usually concerns the need for human interaction on the part of the user, which is hard to perform in an automated solution. Interactivity allows analysts to engage with the targeted system as they would on an actual computer.
- Steganography: Consider the steganography technique, which attackers have employed in many campaigns over the past year. One of the most common implementations of this method involves hiding malicious code inside an image. An interactive sandbox enables analysts to manually extract such content and view its details. Check out this analysis of a stegocampaign, where an image with a base64 encoded executable was used.
Steganography campaign example
- CAPTCHAs: There are also other techniques employed by threat actors that allow them to bypass automated solutions. CAPTCHAs are a prominent example of this, as they have been employed in hundreds of phishing attacks as a simple yet reliable evasion technique. Interactivity enables analysts to easily address this by manually solving the test and proceeding to the next stage of the attack, exposing it entirely.
- Mouse movement: Another common sandbox evasion technique involves using mouse movement to trigger malware detonation. While some automated solutions may include mouse emulation mechanics, certain malware can still detect artificial movement. An interactive service can help users overcome this obstacle by providing them with complete control over the virtual machine, making it possible to mimic natural mouse movements and successfully analyze the malware.
Scenario 2: Proof of concept testing
Interactive malware sandboxes are more fitting for proof of concept (PoC) testing compared to automated ones due to their flexibility and customization capabilities. With an interactive sandbox, analysts can manipulate the environment and closely observe the malware’s behavior.
This hands-on approach allows analysts to test specific scenarios that may not be covered by automated sandboxes.
Take CVE-2024-21413, also known as MonikerLink, one of the vulnerabilities discovered this year. This flaw can lead to the compromise of an NTLM Hash in Outlook, enabling the remote execution of malicious code without the user’s notice.
CVE-2024-21413 sandbox analysis results
An interactive sandbox can greatly benefit professionals who wish to explore the proof of concept of this and other vulnerabilities.
In the case of MonikerLink, they can set up a local VPN network and connect the cloud-based sandbox to it to view the entire attack execution process. Such testing can offer first-hand insights into the vulnerability, which are needed for the training of junior staff and the development of effective detection and mitigation strategies.
Scenario 3: Attack Details
Understanding the details of an attack is crucial for effective response and remediation. However, automated sandboxes may not provide sufficient details about the attack, such as the specific events leading to the infection.
Interactive sandboxes, on the other hand, provide a more exhaustive picture of the attack, highlighting its context and impact.
Script execution that is part of a multi-stage attack is an example of an activity that often lacks details in automated solutions.
Deobfuscated PowerShell script displayed by the sandbox
Interactive sandboxes like ANY.RUN not only detect scripts, including JScript, VBA, and VBScript, executed during the analysis, but also offer a detailed breakdown of their functions, as well as their inputs and outputs. The same goes for PowerShell scripts, found to be the fourth most prevalent TTP in Q1 of 2024. An interactive sandbox simplifies their analysis, presenting a deobfuscated variant of the script for a clearer view of its purpose.
Interactive Malware Analysis with ANY.RUN
ANY.RUN is a cloud-based sandbox designed for interactive analysis. Thanks to the use of VNC technology, users can gain full control over the Windows and Linux VMs and interact with the system directly.
The sandbox on average detects threats in under 40 seconds and extracts indicators of compromise, as well as malware configs of both emerging and persisting malware families.
The service comes equipped with advanced tools for network, registry, and process analysis. It automatically maps all the malicious behavior to the MITRE ATT&CK matrix and generates a downloadable report featuring the findings collected during the analysis.
About the Author
Vlad Ananin is a technical writer at ANY.RUN. With 5 years of experience in covering cybersecurity and technology, he has a passion for making complex concepts accessible to a wider audience and enjoys exploring the latest trends and developments. Vlad can be reached online at the company website https://any.run/