Malware in a Box: A New Cyber Evasion Tactic
By BUFFERZONE Team, 17/06/2021
For years, cybercriminals and the cyber security establishment have been playing a kind of game of cops and robbers, with the criminals usually staying one step ahead. Any time security software begins being able to identify new malware types and protecting against them, the hackers introduce a new evasion technique designed to circumvent the security products. Here we’ll discuss an evasion technique just recently discovered: Malware hiding inside and acting from within a virtual machine.
Virtual Machine Security
From the point of view of host environments of virtual machines (VMs), anything happening inside a guest virtual machine is hidden. So, endpoint security products in the host environment cannot tell if malware is running on the guest.
Under normal circumstances this is not a problem, since malware running on the guest VM cannot escape the VM to access the host. The VM has its own allocated memory and storage, and its internal processes are limited to that space, preventing any possible malware from causing any damage outside the VM’s confines. In fact, proactive containment-based endpoint security products such as BUFFERZONE are predicated exactly on this premise: Isolate any risky activity inside a container, so that the native endpoint cannot be harmed.
In addition, organizations generally secure their VMs by deploying endpoint security software directly inside the VMs, as to regular endpoints.
However, this all assumes that the VM is created by and under control of the organization, so that it is securely configured and not granted access to valuable resources. But what if cybercriminals could design their own VM and enable malware on it to access the host environment?
Virtual Machine as Endpoint Vulnerability
This is exactly what the engineers of the infamous Ragnar Locker ransomware began doing only about a year ago. First detected in May 2020 by Sophos Labs, this malware variant, once it gains administrative access to a host, downloads, installs and runs an older version of VirtualBox software along with a small-footprint, low-resource custom guest VM image containing the ransomware. And, the VM is configured with mapped-drive access to all host drives.
This enables the ransomware to act from within the VM to steal and encrypt host data. And, if the host has mapped-drive access to organizational network shares, these too can be hijacked.
From the perspective of the host environment, activity is being performed by the well-known and generally legitimate VirtualBox process, so no red flags are raised.
Now that the vulnerability is recognized, it’s not too difficult for organizations to defend against it. For example, VMs can be prevented from running without proper authorization; or, this kind of behavior pattern could be identifiable by sufficiently sophisticated detection-based security products.
However, this relatively new threat illustrates the futility of responsive security strategies. After this vulnerability is closed, it’s just a matter of time until another unexpected one is exploited by cybercriminals, yet again placing your data at risk.
Paradigm Shift: Proactive Containment
So, instead of just responding to threats, you need to be proactive. Keep potential malware inside a box, but make sure it stays there. The only effective solution is to make sure that exploits can’t reach your valuable and trusted systems to begin with.
Regardless of specific attack vectors, exploited vulnerabilities, and payloads, BUFFERZONE always does the same thing: browsing sessions, email attachments, and other applications that access external, untrusted content such as unknown internet sites are kept in a virtual container, along with processes started by those sessions and anything they save or download. Contained processes cannot reach native endpoint or organizational resources such as an intranet; those are accessed only by uncontained browsing sessions and applications, which can’t have accessed untrusted sites. For when needed, BUFFERZONE includes can disarm content and securely extract data from the container. Periodically, the container is wiped clean.
Don’t wait for the next new attack. Protect your organization now.
Mark Loman, Ragnar Locker ransomware deploys virtual machine to dodge security, on news.sophos.com,
May 21 2020
Mark Stockley, The ransomware that attacks you from inside a virtual machine, on nakedsecurity.sophos.com,
May 22 2020
Maria Korolov, New Malware Hides Inside Rogue Virtual Machines, on www.datacenterknowledge.com,
June 2 2020