Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered.
The new research is based on the discovery that cloud anti-virus programs can be exploited for data pilfering. Last year, SafeBreach Labs’ Itzik Kotler and Amit Klein demonstrated proof-of-concept (PoC) malware abusing this exfiltration method, and said it would work even on endpoints that have no direct Internet connection.
The technique, the researchers revealed, relied on packing data inside an executable created by the main malware process on the compromised endpoint. Thus, if the anti-virus program on the endpoint uploads the executable to the cloud for further inspection, data is exfiltrated even if the file is executed in an Internet connected sandbox.
Now, SafeBreach security researcher Dor Azouri says that online sandbox services can be used for the same purposes and in similar circumstances. However, the researcher notes in a report (PDF) that an attacker using this method would need technical knowledge about their target network.
Unlike the previous technique, the new one doesn’t rely on code that can actively communicate out of the sandbox, but uses the sandbox service database itself as an intermediary for transferring data. The attack method does require incorporating the desired data into an executable and retrieving it by querying the sandbox service’s databases.
The attack starts with malware infecting the endpoint, gathering sensitive information from the machine, and packing it inside a file that is written to disk and executed to trigger the anti-virus agent. Next, a sandbox site is used to inspect the file by executing it, and the analysis results are saved in the site’s database. Finally, the attackers use the site’s API to grab the file.
Unlike last year’s method, the new one does not require the created executable to emit outbound network traffic for data exfiltration. Moreover, it makes the attacker less visible and more difficult to track, given that they gather the data passively from the sandbox service database.
However, the new technique can only be used in networks where suspicious samples are sent to an online sandbox engine, and also requires the attacker to know which kind of sandbox service the organization is using. Furthermore, although hidden, the exfiltraded data remains public in the service’s online databases.
The attack can be used for data exfiltration when the target organization sends suspicious files to VirusTotal for analysis, the security researcher says. The service requires a subscription to access information about the analysed files, but an attacker could find the exact executable they are looking for in the database.
The researcher presents a couple of manners in which the attack can be performed, namely Magic String using spacebin (where the attackers could both encode and encrypt the data to be exfiltrated) and the embedding of data inside well-known malware.
“Public sandbox services that allow both upload and search capabilities may be used as a means for data exfiltration. The database for these services is an intermediary for transferring hidden data from a source machine to an attacker who is looking for the expected data. Many permutations of this exfiltration model may be created – each features a different stealth level, ease of implementation, accuracy, capacity etc. We only demonstrated a couple of them,” Azouri concludes.