It’s reported that malware developers are evaluating whether their malware is running in the Any.Run malware analysis service to dodge their malware from being easily examined by investigators.
A malware analysis sandbox service, Any.run allows researchers and users to securely evaluate malware without risk to their computers. Once an executable is submitted to Any.Run, the sandbox service will generate a Windows virtual machine with an interactive remote desktop, and carry out the submitted file within in it.
Investigators can make use of the interactive Windows desktop to check the behavior of the malware, whereas Any.Run registers its network activity, file activity, and registry changes.
In a new trojan spam drive exposed by security researcher JAMESWT, malicious PowerShell scripts are downloading and installing malware onto a computer.
When the script is executed, it will download two PowerShell scripts to the victim’s computer that contain obfuscated and embedded malware.
On running the second script, the Azorult password-stealing Trojan will be attempted to be launched.
If it notices that the program is running on Any.Run, it will show the message ‘Any.run Detected!’ and depart, causing the malware to not be executed so that the sandbox cannot evaluate it.
By means of this technique, hackers make it more difficult for researchers to examine their attacks using a programmed system.
The password-stealing Trojan, when executed on a normal virtual machine, or a live system, would be permitted to perform and steal saved login credentials in browsers, FTP programs, and other software.
While this will not put off a researcher from evaluating a particular malware using other techniques, it makes them put more effort into the analysis.