Windows Sandbox is a lightweight virtualization mechanism introduced in 2018, designed to provide an isolated desktop environment for quickly testing suspicious applications. However, this feature can also serve as a "magic cloak" for adversaries. In 2024, we observed an abuse of Windows Sandbox by the APT group Earth Kasha, believed to operate under the APT10 umbrella. After gaining control of the target machine via a backdoor named "ANEL," delivered through a spear-phishing email, the adversary uploaded multiple components to deploy a secondary payload, dubbed "NOOPDOOR," within Windows Sandbox. Initially, the adversary configured Windows Sandbox using a .wsb file to enable network access and map a host folder to a folder within the Sandbox, allowing access to host files from within the Sandbox. Next, they executed an installer script to extract NOOPDOOR components from a password-protected WinRAR archive and launched it inside the Sandbox. Additionally, the adversary leveraged the TOR application to obscure backdoor traffic originating from the Sandbox. These techniques helped the adversary conceal malicious activity from host-based EPP and EDR solutions. This presentation will cover the fundamentals of Windows Sandbox, provide a detailed analysis of the TTPs used for defensive evasion, and discuss actionable countermeasures for prevention and threat hunting. By: Hiroaki Hara | Senior Threat Researcher, Trend Micro Full Abstract and Presentation Materials Available: https://ift.tt/nbq1WfC
source https://www.youtube.com/watch?v=YFa_Cs_hSUM
-
Germany recalled its ambassador to Russia for a week of consultations in Berlin following an alleged hacker attack on Chancellor Olaf Scho...
-
Android’s May 2024 security update patches 38 vulnerabilities, including a critical bug in the System component. The post Android Update ...
No comments:
Post a Comment