T1497.002 User Activity Based Checks
Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.1
Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks 2 , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro 3 or waiting for a user to double click on an embedded image to activate.4
Item | Value |
---|---|
ID | T1497.002 |
Sub-techniques | T1497.001, T1497.002, T1497.003 |
Tactics | TA0005, TA0007 |
Platforms | Linux, Windows, macOS |
Version | 1.1 |
Created | 06 March 2020 |
Last Modified | 18 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0012 | Darkhotel | Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.7 |
G0046 | FIN7 | FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.4 |
S0439 | Okrum | Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.5 |
S0543 | Spark | Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.6 |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0009 | Process | OS API Execution |
References
-
Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved May 18, 2021. ↩
-
Keragala, D. (2016, January 16). Detecting Malware and Sandbox Evasion Techniques. Retrieved April 17, 2019. ↩
-
Falcone, R., Lee, B.. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved April 23, 2019. ↩
-
Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. ↩↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. ↩
-
Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021. ↩