Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks
Description
This presentation explores a novel defense evasion technique used by the APT group Earth Kasha, involving the abuse of Windows Sandbox to deploy stealthy backdoors. Viewers will learn how adversaries hide malicious activity from EDR/EPP solutions by leveraging lightweight virtualization and specific sandbox configuration tricks.
Think Inside the Box: How APTs Abuse Windows Sandbox for EDR Evasion
Introduction
In the cat-and-mouse game of cybersecurity, defenders have long relied on sandboxing to isolate and analyze suspicious files. However, in a fascinating reversal, advanced persistent threat (APT) groups have begun using these very tools to hide from the defenders. This blog post explores the research presented by Hiroaki Hara of Trend Micro at Black Hat Asia, detailing how the APT group Earth Kasha (part of the APT10 umbrella) successfully abused Windows Sandbox in real-world targeted attacks to deploy stealthy backdoors while remaining invisible to Endpoint Detection and Response (EDR) solutions.
Background: The "Magic Cloak" of Virtualization
Windows Sandbox, introduced in 2018, is a lightweight virtualization feature designed for the safe execution of untrusted applications. It provides a disposable, isolated environment that starts in seconds. While built for security, it inherently possesses a characteristic that is highly attractive to malware authors: isolation.
Most host-based security products (EPP and EDR) operate at the kernel or user level of the host operating system. Because Windows Sandbox uses hypervisor-based virtualization, the processes running inside the sandbox are often invisible to the security agents installed on the host. For an adversary, the sandbox becomes a "magic cloak," allowing them to execute malicious code in a space where the host's EDR cannot see or intervene.
Technical Deep Dive: The Earth Kasha Attack Chain
Understanding the Vulnerability/Technique
The attack discovered by Trend Micro targets organizations in East Asia using a multi-stage infection process. The initial entry is achieved via spear-phishing, but the true innovation occurs during the deployment of the final payload, NOOPDOOR.
Step-by-Step Exploitation
- Initial Compromise: The victim executes a dropper called
Roaming Mousefrom a spear-phishing email, which installs theANELbackdoor. - Sandbox Preparation: Once the attacker confirms the target's value, they drop three components onto the host: a configuration file (
.wsb), a password-protected WinRAR archive, and a PEM file (which is actually an encoded executable). - Hiding the UI: To prevent the victim from seeing the sandbox window, the attacker creates a Scheduled Task to run
WindowsSandbox.exeunder theSYSTEMcontext. Because the system account does not share a session with the active user, the sandbox window remains hidden. - Configuring the Sandbox: The
.wsbfile is meticulously crafted to:- Enable networking (
<Networking>Default</Networking>). - Map the host's user directory to the sandbox with read-write permissions (
<ReadOnly>false</ReadOnly>). - Execute a script upon startup (
<LogonCommand>).
- Enable networking (
- Payload Deployment: Inside the sandbox, the
LogonCommandtriggers a batch file that usescertutilto decode the PEM file into a WinRAR executable. This tool then extracts theNOOPDOORbackdoor from the encrypted archive and executes it. - Traffic Obfuscation: The adversary often uses the Tor network from within the sandbox to mask the command-and-control (C2) traffic.
The New Threat: WSB.exe
In Windows 11 24H2, Microsoft introduced wsb.exe, a command-line tool that makes this process even easier for attackers. It supports inline configurations via the --config flag, enabling fully fileless execution of sandbox settings and the ability to hide the UI without needing the SYSTEM account workaround.
Detection & Defense Strategies
Detecting sandbox abuse requires looking for specific environmental anomalies rather than just signatures of the malware itself.
Detection Points:
- Sigma Rules: Monitor for
WindowsSandbox.exeorwsb.exebeing executed by theSYSTEMaccount or with suspicious command-line arguments likeLogonCommand. - Memory Scanning: While the sandbox is isolated, its memory is mapped to specific host processes:
VMM.exeon Windows 10 andVMM-sandbox.exeon Windows 11. Security teams should ensure their EDR is configured to scan these specific worker processes, as the malicious code (likeMimikatzorNOOPDOOR) will be visible there.
Prevention:
- Group Policy: Admins can use GPOs to restrict Windows Sandbox capabilities, such as disabling folder mapping and network access if the feature is required for business but needs hardening.
- Privilege Management: Monitoring the creation of scheduled tasks by suspicious processes can preempt the sandbox from being launched under the
SYSTEMaccount.
Conclusion & Key Takeaways
The abuse of Windows Sandbox by Earth Kasha marks a significant shift in APT tactics toward utilizing built-in virtualization for defense evasion. As Microsoft continues to integrate lightweight containers and sandboxes into the OS, we can expect more adversaries to "think inside the box."
Key Takeaways:
- Isolation works both ways: what protects you can also hide your enemies.
- Standard EDR monitoring often stops at the hypervisor boundary.
- Memory scanning of hypervisor worker processes is a critical, yet often overlooked, detection vector.
For researchers and defenders, the message is clear: monitor the usage of virtualization tools in your environment as closely as you monitor any other high-privilege application.
AI Summary
In this technical presentation from Black Hat Asia, Hiroaki Hara, a Senior Threat Researcher at Trend Micro, details the first observed in-the-wild abuse of Windows Sandbox by a targeted threat actor. The primary subject is Earth Kasha, a China-aligned espionage group operating under the APT10 umbrella. Since 2017, Earth Kasha has targeted government and research institutes in East Asia, recently expanding their focus to include Taiwan and India. The talk specifically focuses on a campaign where the group shifted from the ANEL backdoor to a more sophisticated payload named NOOPDOOR, which they deployed inside the Windows Sandbox to evade detection. The core of the attack lies in the 'defense evasion' capability of Windows Sandbox. Because host-based security tools like EDR and EPP solutions typically do not monitor processes or file system changes occurring within the sandbox's isolated environment, the adversary used it as a 'magic cloak.' The infection chain begins with a spear-phishing email containing a OneDrive link. This leads to the download of a ZIP file containing the 'Roaming Mouse' dropper, which installs the first-stage backdoor, ANEL. If the victim machine is deemed valuable, the attackers proceed to the second stage: deploying NOOPDOOR using Windows Sandbox. Hara explains several critical 'tricks' the attackers used. First, they configured a Windows Sandbox (.wsb) file to enable networking for C2 communication and mapped host folders with read-write permissions, allowing the sandbox to access and exfiltrate host data. To hide the sandbox UI from the logged-in user, the adversary registered the sandbox as a scheduled task running under the 'SYSTEM' account. This ensures the virtualized desktop environment remains invisible while the malicious payload runs. Within the sandbox, the attackers used 'certutil' (obfuscated as 'satutil') to decode a WinRAR command-line tool, which then extracted the NOOPDOOR components from a password-protected archive. This multi-layered approach ensures the payload never touches the host's file system in its uncompressed, malicious form. The presentation also touches on recent developments in Windows 11 version 24H2, which introduces 'wsb.exe.' This command-line utility allows for fileless sandbox execution and the ability to hide the UI without needing the 'SYSTEM' account trick, potentially making this attack vector even more dangerous. For defense, Hara suggests Sigma rules to detect sandbox execution under the SYSTEM account and emphasizes the importance of memory scanning. Interestingly, the memory of the guest sandbox is visible through the host processes 'VMM.exe' (Windows 10) or 'VMM-sandbox.exe' (Windows 11). Scanning these processes from the host can reveal malware like Mimikatz or NOOPDOOR, providing a viable detection path for modern EDR solutions.
More from this Playlist
Dismantling the SEOS Protocol
