According to researchers at Cisco, the Chanitor dropper malware is targeting enterprises via Phishing emails that purport to come from Microsoft Volume Licensing Center (MVLC). Interestingly the Chanitor is using Red Pill techniques to actively figure out if it's running inside of a sandbox and lies dormant up to 30 minutes before making active connections out to the Internet. Some interesting observations about Chanitor:
- The domains in the links on the phishing email all lead to vulnerable & compromised Wordpress servers
- The downloaded ZIP file contains a Windows executable with an .SCR extension
- Initially, the detection by antivirus software was a low 9 out of 57 antivirus programs
- "The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything"
- Tor is growing more commonplace as a means of c2 and exfiltration
Virtual execution, aka sandboxing is as vulnerable to malware evasion as signatures are. Ever since Joanna Rutkowska's release of the "Red Pill", malware authors have consistently incorporated techniques to detect and evade sandboxes. And it's interesting to note that Chanitor is taking proactive steps stay to under the radar when it encounters a sandbox. Unfortunately, we in the security industry are relying on antiquated mechanisms to thwart malware which seems to be on a rising trend with no sign of stopping. Phishing threats, unlike other types of malware delivery, are especially difficult for existing security mechanisms to prevent since they are exploiting the human psyche. Maybe it's time that we step back and think about completely eliminating classes of threats instead of playing cat and mouse with malware?
Photo courtesy: dominiquegodbout