Sleepy Chanitor Variant Sidesteps Sandboxing

Security experts have spotted targeted malware aimed at enterprise users which is designed to deliberately evade automatic sandbox analysis and connect to the Tor anonymizing network.

Phishing emails were personalized in the welcome line and claimed that the recipient had been assigned “administrator permissions” on the Microsoft Volume Licensing Service Center (VLSC), according to Martin Nystrom, member of Cisco’s Computer Security Incident Response Team (CSIRT).

They included a malicious download link which appears to come from but actually takes the user to a compromised WordPress site.

Clicking through will take the user to what appears to be a genuine VLSC page and begin the download, which is actually Chanitor malware – a trojan downloader spotted numerous times in the wild previously including in fake fax, fake voicemail, fake invoice and fake purchase order email attacks.

Detection rates were apparently a low nine out of 57 AV programs.

“Managed Threat Defense investigators turned to sandbox analysis for the file,” explained Nystrom.

“Detonating the malware on three commercial and one open source sandbox solution yielded no success. The malware seemed to know it was being analyzed and exited after 20 seconds without doing anything.”

After running the malware on “real hardware” hooked up to monitoring software, the Cisco team discovered the downloader was designed to deliberately evade sandbox analysis thanks to “programmatic delays.”

The Chanitor variant “sleeps” for over 30 minutes when first run, and then subsequently sleeps numerous times for just milliseconds “to wait out automatic sandbox analysis” before communicating with its C&C server.

It then checks to see if it can connect to the Tor network in order to hide its command-and-control and exfiltration activity, Nystrom explained.

The malware spotted by Cisco is yet another example of attackers’ continued attempts to counter advanced detection tools with built-in anti-forensics measures.

Most recently, the latest version of the infamous Cryptowall ransomware was spotted using the I2P anonymity network to communicate with its C&C infrastructure and Tor to disguise comms between the victim and attacker.

What’s Hot on Infosecurity Magazine?