Sohan Subhash Mirajkar

Sandboxing is a part of automated technology for malware detection that’s widely used by several antivirus programs and other security applications. We place a potentially dangerous program into a controlled virtual environment where it cannot cause any harm, security software can then analyse the behaviour of the malware and develop security measures against it.
 
 Sandbox-evading malware is a new type of malware that can detect if it’s inside a sandbox or virtual environment. These malwares don’t execute their malicious code until they’re outside of the controlled environment.
The first malware that surpassed the sandbox protection was detected in the year 1980.
 
Real world examples of sandbox evading malware
Locky ransomware which was released in 2016, is a good example of a sandbox-evading virus. It was spread through JavaScript code that was infected with encrypted DLL files.  In mid of 2018, a new version of malware called the RogueRobin trojan was detected in the Middle East. This government organisation based  malware was spread via email in an attached RAR archive. In 2019, hackers used the HAWKBALL backdoor to attack the government sector in Central Asia. This malware exploited vulnerabilities for Microsoft Office to deliver payloads and collect system information. In March 2019, a new sample of macOS malware using improved sandbox evading techniques was detected. As opposed to its ancestors, OSX_OCEANLOTUS.D had a Mach-O signature with a UPX string that allowed it to be not noticed during static analysis in a virtual environment.   
Protection from sandbox-evading malware:
1. Dynamically change sleep duration
2. Simulate human interactions
3. Add real environmental and hardware artifacts
4. Perform static in addition to dynamic analysis
5. Use fingerprint analysis
6. Use behavior-based analysis
7. Customize your sandboxing
8. Add kernel analysis
9. Implement machine learning
10. Consider content disarm and reconstruction (CDR) as an extra security layer