Malware developers have a new trick up their sleeve when it comes to evading detection – hiding their code inside a virtual machine.
Researchers at Sophos recently discovered a ransomware attack that uses a “VirtualBox” to keep itself from being spotted and stopped before it does any damage. This particular attack uses an old version of Oracle VirtualBox – a Sun xVM VirtualBox from 2009.
The virtual machine angle "takes defense evasion to a new level," Mark Loman, director of engineering for threat mitigation at Sophos, told DCK.
The malware, Ragnar Locker, also exfiltrates the data before encrypting it and deletes the "shadow copies," or system backups of files.
This particular strain of the malware attacks Windows PCs, Loman said. "But if the server in the data center runs Windows and can be accessed from the internal network, it is vulnerable to this attack," Loman said. "Also, if the data in the data center is available via a mapped network drive, the ransomware will affect the data on file servers in the data center."
To protect against it, Loman suggested that data center managers check which servers offer data to endpoints via file sharing. "Even though the ransomware executable is not copied and run on the file server in the data center itself, a single infected endpoint with a mapped network drive to the file server can do a lot of damage.”
Ransomware protection solutions typically don't protect shared folders from remote attacks as a standard feature, he said. But other common cybersecurity techniques could prevent the attack before the VM was created.
"Data center managers can help prevent these attacks by monitoring access of users with elevated privileges, detecting the installation of unauthorized software, and ensuring the ability to investigate and quarantine systems that exhibit this unusual activity," Brian Whitney, a consultant at Crypsis Group, a cybersecurity firm, told us.
Anti-ransomware vendors are likely to catch on fast. "I do not suspect this technique will last long as it becomes more commonly detected," Jonathan Tanner, senior security researcher at Barracuda Networks, said.
That will be based on how fast the security solutions are able to catch it, he told DCK. "Any organization without protections in the first place would not be any more susceptible to this variant than any other, making the added cost of evasion unnecessary to attackers in this case."
"I don’t see this becoming a significant new threat vector," agreed cybersecurity expert Andrew Hollister, director of LogRhythm Labs. "It is simply too noisy and provides many opportunities for detection. It seems an overly complicated way to implement an attack when you already have highly privileged access. The attackers could have simply halted endpoint protection and downloaded a 49KB binary which would be much more stealthy and difficult to detect than downloading a whole virtual machine, which also required drivers and registry entries in order to function."
But there are worrisome longer-term implications of this new evolution in attacker strategy – especially inside data centers that run a lot of VMs (which nowadays is most of them). Now that this technique has been used by a major ransomware group, it's likely to be picked up by other types of attackers.
Tip of the Iceberg
The same VM approach can be used to hide cryptominers and advanced persistent threats, said Juanita Koilpillai, who leads the software-defined perimeter working group at the Cloud Security Alliance. She is also the founder and CEO at Waverley Labs, a network security company.
"Data centers are typically not monitoring inside the virtual machines," she said. Some activities, such as cryptomining, can be picked up because of an usual spike in usage. Other harmful acts, such as stealing data or encrypting files, requires that the malware access the environment outside the VM.
"One way to protect against that is microsegmentation," she said. "They can make sure that if they've got a virtual box, it cannot access any other files. That's what the Cloud Security Alliance is advocating, these new security architectures."
By hiding inside a VM the malware can also avoid all the usual anti-malware technologies. "The antivirus can't peer into this virtual machine to detect it," said Fred Frey, technical director at Booz Allen Hamilton's Dark Labs cybersecurity team.
Typically, malware will try to turn off anti-malware technology before it starts doing its business. "But bells and whistles go off when you kill off antivirus," he told DCK. "This way, they can stay in stealth mode longer."
They can wait for just the right moment to set off the ransomware, or they can hide a long-term backdoor in the VM, so that they have a permanent foothold in the enterprise.
When data centers launch legitimate VMs, they protect the contents of the VMs against malware by running agents or other security technology inside the VMs themselves and by checking VM images for malware before launching them. Neither of these security approaches are much help when the VM is created from scratch by the attacker.
The key to protecting against threats hidden inside VMs is to have a good understanding of the environment, Frey said. "You should have an asset inventory and know which virtual machines are under positive control and which aren't."
Data center cybersecurity managers should also make sure that they've prevented the kind of access that would allow an attacker to set up a VM in the first place.
"The initial vulnerability is the real root cause of the problem," Satya Gupta, founder and CTO at Virsec Systems, a cybersecurity vendor, said.
Finally, strong application controls, where unknown executables aren't allowed to run at all, can help protect environments, especially when combined with additional security policies.
"I might let one script in a PowerShell execute, but not another one," Gupta said. "I might have a policy to never install a virtual machine." Then the data center wouldn’t ever get to a point where it had to detect rogue VMs.