santiago silver - Fotolia

How can GravityRAT check for antimalware sandboxes?

A remote access Trojan -- dubbed GravityRAT -- was discovered checking for antimalware sandboxes by Cisco Talos. Learn how this technique works and how it can be mitigated.

Cisco Talos researchers discovered a remote access Trojan called GravityRAT that checks for antimalware sandboxes on targeted systems using temperature checks. How does this technique work? How can GravityRAT be mitigated?

Malware creators and the antimalware community have been engaged in an ongoing and constant cat and mouse game: Malware creators want to minimize the chance of their malware being detected, and if it is detected, they want to make it more difficult to analyze.

Malware analysis has significantly evolved as malware threats continue to grow in breadth, depth and volume. Automated systems use honeypots, sandboxes and virtual systems to look for network connections, file system calls, memory reads and behaviors to help prioritize an analyst's time.

The automated systems are not perfect and, at times, can be identified by malware. This enables the malware to evade detection by not executing at all or by changing the way it executes to make it more difficult to analyze.

To determine if a system is real and if a real human is using it, malware authors look at the IP address and hardware characteristics of the system. This can also help them evaluate if there are a sufficient number of real files on the system, a sufficient number of applications installed and mouse movements that are characteristic of a physical system rather than a virtual machine running in a sandbox.

Malware creators know that antimalware companies have limited resources and can't look deep into every piece of malware reported; however, they may not know how the malware is being analyzed. In response, malware creators have added checks to see if the host executing the malware is running on a virtual system or a malware analysis system.

Cisco Talos researchers recently discovered a remote access Trojan -- dubbed GravityRAT -- that queries system CPU temperature to determine the presence of antimalware sandboxes on targeted systems. GravityRAT makes system calls to query the hardware -- which not all virtual systems or sandboxes support -- and the results can be used to identify if the malware is running on an automated analysis system.

If the temperature check call fails, the malware assumes it's running on a virtual system. However, it should be noted that not all real computers support these system calls; it is a tradeoff malware authors made to add this check. Malware authors even appear to have uploaded multiple copies to VirusTotal when tuning their detection evasion.

In their analysis, the Cisco Talos researchers noted indicators of compromise that should be included in security tools in order to identify the affected systems and the tools that can be used to block attacks.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing