Security researchers discovered a new sandbox evasion technique.
Called API hammering, the technique involves the use of a large number of calls to Windows APIs to achieve an extended sleep condition. The latter helps to evade detection in sandbox environments. The discovery comes from Palo Alto’s Unit 42 researchers. The team came across Zloader and BazarLoader samples that used the said API hammering technique.
API Hammering: Sandbox Evasion Technique
What makes API hammering different from the usual sandbox evasion tricks that malware utilizes?
Many malware families utilize either the so-called Ping Sleep technique where the malicious program constantly sends ICMP network packets to a particular IP address in a loop, or the Windows API function called Sleep. Researchers say that API hammering is more efficient than these two, as the API calls delay the execution of the malicious routines allowing the malware to sleep during the sandbox analysis process.
In BazarLoader, the API hammering function is located in the malware packer, delaying the payload unpacking process to evade detection. “Without completing the unpacking process, the BazarLoader sample would appear to be just accessing random registry keys, a behavior that can be also seen in many legitimate types of software,” the report said.
Last year, security researchers detailed another previously unknown evasion technique. Called Process Ghosting, the technique could be exploited by a threat actor to bypass security protections and run malicious code on a Windows system.
Detailed by Elastic Security researcher Gabriel Landau, the technique is an image tampering attack, which is somewhat similar to previous attacks called Doppelgänging and Herpaderping.
“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF),” Landau said.