Home > Cyber News > API Hammering Sandbox Evasion Technique Used by Popular Malware

API Hammering Sandbox Evasion Technique Used by Popular Malware

API Hammering Sandbox Evasion Technique Used by Popular Malware

Security researchers discovered a new sandbox evasion technique.

Called API hammering, the technique involves the use of a large number of calls to Windows APIs to achieve an extended sleep condition. The latter helps to evade detection in sandbox environments. The discovery comes from Palo Alto’s Unit 42 researchers. The team came across Zloader and BazarLoader samples that used the said API hammering technique.

API Hammering: Sandbox Evasion Technique

What makes API hammering different from the usual sandbox evasion tricks that malware utilizes?

Many malware families utilize either the so-called Ping Sleep technique where the malicious program constantly sends ICMP network packets to a particular IP address in a loop, or the Windows API function called Sleep. Researchers say that API hammering is more efficient than these two, as the API calls delay the execution of the malicious routines allowing the malware to sleep during the sandbox analysis process.

In BazarLoader, the API hammering function is located in the malware packer, delaying the payload unpacking process to evade detection. “Without completing the unpacking process, the BazarLoader sample would appear to be just accessing random registry keys, a behavior that can be also seen in many legitimate types of software,” the report said.

Last year, security researchers detailed another previously unknown evasion technique. Called Process Ghosting, the technique could be exploited by a threat actor to bypass security protections and run malicious code on a Windows system.

Detailed by Elastic Security researcher Gabriel Landau, the technique is an image tampering attack, which is somewhat similar to previous attacks called Doppelgänging and Herpaderping.

“With this technique, an attacker can write a piece of malware to disk in such a way that it’s difficult to scan or delete it — and where it then executes the deleted malware as though it were a regular file on disk. This technique does not involve code injection, process hollowing, or Transactional NTFS (TxF),” Landau said.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree