69% of Sandbox-Evading Malware Used for Espionage

Cybersecurity experts have analyzed malware that uses tools to bypass sandboxes during attacks. Their findings reveal that the majority of such malware is used for espionage and stealing confidential information.

According to researchers from Positive Technologies, cybercriminals are increasingly bypassing sandboxes due to a growing interest in targeting enterprises where they can steal trade secrets. Of all the analyzed malware samples that use sandbox evasion techniques, 69% were designed specifically for espionage. The remaining 31% were intended to bring financial gain to cybercriminals.

In total, Positive Technologies specialists observed the behavior of 36 malware families involved in cyberattacks over the past ten years. These malware strains were distributed by 23 different cybercriminal groups.

After categorizing all the analyzed programs into five groups, experts concluded that 56% of sandbox-evading malware was used in programs that provided operators with remote access to victims’ computers. So-called downloaders made up 14% of this list. Ransomware accounted for 11%, as did banking trojans, while spyware made up 8%.

Regarding the cybercriminal groups distributing such programs, 25% of these groups have been active in the last two years, which may indicate a shift in focus toward espionage malware that steals trade secrets.

Stanislav Fesenko, a specialist at Group-IB, told Izvestia that such cyberattacks are mainly carried out for industrial espionage and for reselling access to compromised infrastructure.