The hackernews posted an interesting article about LummaC2 malware’s ability to detect anti-sandbox techniques. That post can be found HERE. Why care? For those unfamiliar with these terms, lets first start with sandbox technology. Sandboxes are places to test software. Typical sandboxes use various techniques to get the software to execute as well as malware to launch. Sandboxes monitor behavior and not only aim to detect malicious behavior, but also learn about that behavior. Techniques include simulating mouse movements, clicking executables, etc.
Many security solutions include sandbox capabilities. This is ideal to detect unknown threats IE things that don’t have detection signatures available used to identify the threat. What is super interesting about LummaC2 is the developers have purchased and evaluated modern sandboxes with the goal of building anti-sandbox detection. This means they build into malware non-human behavior IE simulated mouse movements as once example. If it detects fake movement, it won’t launch leading to a possible detection bypass.
Security has always been a cat and mouse game meaning both sides adjust. It will be interesting to see how threat actors incorporate AI into anti-detection capabilities. For example, I predict the next flavor of this capability will have malware first learn about the user using AI and only launch after a user profile is created based on behavior. This means sandbox technology will also need to use AI to create human behavior in a automated fashion. Both of these functions don’t exist to but they are coming … trust me on that.