Hiding in plain sight is a tried-and-true tactic honed over millions of years in nature. A butterfly that looks like a flower. A praying mantis that waits for bugs to wander within striking distance. A chameleon that blends into its background. Animals as diverse as insects, reptiles, and mammals know that hiding in plain sight is a good way to get a good meal — or to avoid becoming something else’s lunch.
Cybercriminals and other malicious actors are taking their cue from nature and using normal user behavior to evade traditional detection techniques and breach corporate networks. These Highly Evasive Adaptive Threats (HEAT) bypass traditional web security measures and leverage web browser features to deliver malware or compromise credentials. If successful, HEAT attacks render all browser-based security defenses helpless — including the sandbox. Also helpless are file inspections, network and HTTP-level inspections, malicious link analysis, offline domain analysis, and indicator of compromise (IOC) feeds.
Evading the sandbox
HEAT attacks evade all of these traditional methods of detection by disguising malicious activity as normal user behavior. Because all HEAT attacks resemble legitimate activity, organizations can’t rely solely on the ability to block them any more than a bug can avoid being eaten by a praying mantis solely by staying away from anything that looks like a leaf. The sandbox, used by millions of organizations around the world, is simply unable to distinguish good behavior from bad — making it increasingly difficult to detect and respond to today’s most common and disruptive cyberattacks, such as malware and ransomware.
Here are four tactics that HEAT attacks use to evade the sandbox:
1. HTML smuggling
Attackers are increasingly hiding malicious payloads directly in HTML code by leveraging legitimate JavaScript and HTML5 features. Delivered as an embedded JavaScript blob in an email or as an attachment, the malicious script is decoded by the browser and then assembles the payload on the user’s device. This allows the attacker to build the malware locally behind the firewall — allowing it to evade the sandbox.
Example: ISOMorph infection
2. Password-protected files
Another technique is to deliver malicious code in a password-protected file that can’t be inspected by the sandbox for security purposes. Masquerading as a critical file that contains sensitive information — such as payment card information (PCI) data or personally identifiable information (PII) that is exempt from sandbox inspection per policy — allows the attacker to evade the sandbox. Once past this initial line of defense, the attack is assembled as the payload on the end device and spread throughout the network.
Example: Qbot malware uses password protected files
3. Oversize archive files
Security teams are always cognizant of protecting the enterprise without impacting productivity, and sending every file to the sandbox for inspection is a good example of how to grind productivity to a halt. Policies dictate which files are sent on to the end user based on file type, and, yes, size. Most files of less than 100MB are able to be analyzed by the sandbox and then delivered to the end user. Files greater than 100MB will be rejected by the sandbox and, based on specific policies, will either be blocked or passed through straight to the end user to avoid impacting productivity or escalating excessive help desk tickets. Malicious actors use this tried-and-true approach to evade the sandbox by sending oversize files that ultimately assemble their payload on the end device.
Example: Solarmarker leveraging SEO poisoning to download malicious payload
4. Evasion of the email path to avoid sandboxing
Threat actors are coming up with some ingenious ways of sidestepping malicious URL link analysis engines, which are traditionally implemented within the email path to analyze links before the user even sees them. Instead, they might use text messaging, social media, professional web networks, collaboration software, SMS, shared documents, shared folders, and Software as a Service (SaaS) platforms. Sending malicious links through these unsecured channels evades the sandbox and allows the attacker to gain a foothold on the user’s end device.
Example: Hacker leverages MSFT Teams to deliver malware
The only way to know for sure whether innocuous-seeming content or behavior is good or bad is to avoid the question altogether by taking a preventative stance on security. Many organizations today are coupling a Zero Trust mindset with isolation-powered security solutions as an answer. This way, abstracted layers are created between the Internet and users’ devices, routing all web content — good and bad — through an isolated layer. This prevents HEAT attacks and renders evasion techniques moot.