July 18, 2024

Simplest Yet Most Common and Effective Evasion Tactic: Sleep!

In this blog post, you will learn how "Sleep" function is used to evade detection with real-life examples and how to overcome it!
Threat.Zone

The increasing reliance on sandbox environments for malware analysis has led to a corresponding rise in sophisticated evasion tactics by cybercriminals. As organizations adopt sandboxing solutions to identify and mitigate threats, less capable sandboxes often struggle with false negatives, costing businesses millions of dollars annually. One prevalent evasion technique employed by malware is the "sleep method," designed to bypass detection during the limited analysis window of many sandboxes. 

The Rising Challenge of Sandbox Evasion

As sandbox technology becomes more widespread, malware developers continuously refine their techniques to evade detection. This cat-and-mouse game has resulted in increasingly sophisticated evasion tactics that exploit the limitations of conventional sandbox environments. One significant consequence of these evasion techniques is the high rate of false negatives, where malicious activity goes undetected, leaving organizations vulnerable to attacks and resulting in substantial financial losses.

Financial Impact of False Negatives
False negatives occur when a sandbox fails to detect malicious behavior, leading to undetected threats infiltrating an organization's network. These undetected threats can cause data breaches, financial loss, and reputational damage. According to recent reports, the average cost of a data breach has soared, with businesses facing millions of dollars in recovery costs, legal fees, and lost revenue. The prevalence of evasion tactics like the sleep method exacerbates this problem, highlighting the need for advanced sandbox solutions capable of detecting and mitigating such tactics.

The Most Common Sandbox Evasion Tactic: The Sleep Method

Among the various evasion techniques, the sleep method is one of the most commonly used by malware. This tactic involves the malware delaying its execution to outlast the sandbox's analysis period. By incorporating sleep calls, malware can remain dormant long enough to avoid detection, only activating once it believes the sandbox has ceased monitoring.

Detailed Explanation of the Sleep Method

The sleep method leverages several API functions to introduce delays in execution. These functions are typically used in legitimate software to pause operations, but malware repurposes them for evasion. Here are some of the key sleep functions:

  1. Sleep:
    • Sleep(DWORD dwMilliseconds): This function suspends the execution of the current thread for a specified interval, given in milliseconds. Malware uses this to pause execution and outlast the sandbox's monitoring period.
  2. NtDelayExecution:
    • NtDelayExecution(BOOLEAN Alertable, PLARGE_INTEGER DelayInterval): A native API function that delays execution. It can be used to implement more sophisticated delays, including indefinite suspension. This function provides greater control over the delay mechanism, making it harder to detect.
  3. SleepEx:
    • SleepEx(DWORD dwMilliseconds, BOOL bAlertable): Similar to Sleep, but with the option to alert the thread if the delay is interrupted. This added complexity can help evade sandboxes that detect simple sleep calls.
  4. WaitForSingleObject:
    • WaitForSingleObject(HANDLE hHandle, DWORD dwMilliseconds): Waits until the specified object is in the signaled state or the timeout interval elapses. This can be used for delays with synchronization objects, adding another layer of evasion.
  5. WaitForMultipleObjects:
    • WaitForMultipleObjects(DWORD nCount, CONST HANDLE *lpHandles, BOOL bWaitAll, DWORD dwMilliseconds): Waits until any one or all of the specified objects are in the signaled state or the timeout interval elapses. This function introduces randomness in delay, complicating detection efforts.
  6. NtWaitForSingleObject:
    • NtWaitForSingleObject(HANDLE Handle, BOOLEAN Alertable, PLARGE_INTEGER Timeout): Another native API that waits for an object to be signaled or for a specified timeout period. Its use in malware can make delays appear more legitimate.
  7. ZwDelayExecution:
    • ZwDelayExecution(BOOLEAN Alertable, PLARGE_INTEGER DelayInterval): Similar to NtDelayExecution, this function can introduce delays in execution. It is often used in more advanced evasion techniques.

Real-World Examples of Malware Using Sleep Methods

Several real-world malware families have employed sleep methods to evade detection:

  1. TrickBot:
    • TrickBot is a notorious banking Trojan that often incorporates sleep delays to avoid detection by sandbox environments. It uses various sleep functions to delay its execution, making it difficult for sandboxes to capture its malicious behavior within the analysis window.
  2. Ursnif:
    • Ursnif, also known as Gozi, is a sophisticated banking Trojan that uses sleep functions as part of its evasion strategies. By delaying its execution, Ursnif can bypass initial detection and establish a foothold in the target system.
  3. Dridex:
    • Dridex is another banking Trojan known for implementing delays to outlast the sandbox analysis period. By using sleep calls, Dridex can avoid detection and carry out its malicious activities undisturbed.

Threat.Zone: Comprehensive Coverage Against Evasion Tactics

With the latest updates, Threat.Zone has enhanced its capabilities to detect and terminate all sleep call methods. This ensures that malware is forced to execute its payload immediately, providing a more accurate and timely analysis of its behavior.

Full Coverage of Al-Khaser Listed Methods

Threat.Zone offers full coverage for all sleep call methods listed in Al-Khaser (an open-source tool designed to test the effectiveness of sandboxes and anti-malware solutions) and more! By addressing these methods, Threat.Zone can detect and neutralize a wide range of evasion tactics, ensuring that no malicious activity slips through the cracks.

Examples of Al-Khaser Sleep Call Methods
  • Sleep:
    • Detected and terminated, ensuring immediate execution.
  • NtDelayExecution:
    • Monitored and stopped, preventing indefinite delays.
  • SleepEx:
    • Handled with alert interruptions to avoid evasion.
  • WaitForSingleObject:
    • Monitored for signaled states and terminated.
  • WaitForMultipleObjects:
    • Detected and managed to prevent random delays.
  • NtWaitForSingleObject:
    • Identified and interrupted for immediate execution.
  • ZwDelayExecution:
    • Monitored and terminated to avoid execution delays.

Advanced Detection and Termination Mechanisms

Threat.Zone utilizes advanced detection algorithms to identify and terminate sleep calls. These mechanisms include:

  1. Time Acceleration:
    • By accelerating the system clock, Threat.Zone can trick malware into executing its payload sooner, bypassing delays introduced by sleep calls.
  2. Behavioral Analysis:
    • Continuous monitoring of thread behavior helps identify suspicious sleep patterns, triggering immediate termination of sleep calls.
  3. Memory Forensics:
    • Analyzing memory dumps to detect dormant code and understand the malware’s intended behavior, even before it executes.
  4. Multi-stage Analysis:
    • Running the sample through multiple analysis such as Static, Dynamic and Emulation to catch behaviors that might be missed in a single, time-constrained sandbox analysis.

Would you like to try it yourself with your samples? Go ahead and register here to start using it right away with our free license to see it yourself!

Sinan Ugur Atak, Berk Albayrak
Head of RevOps, Threat Research Team Lead