Yuki Umemura
Last known affiliation: NICT
Bio: Yuki Umemura has been working as a Research Engineer at National Institute of Information and Communications Technology since 2020 in Japan. Before that, he worked as a security engineer at a security company in Japan.
Shohei Hiruta 🗣 | Yuki Umemura | Masaki Kubo | Nobuyuki Kanaya | Takahiro Kasama
Abstract (click to view)
Malware sandboxes are essential tools for malware analysis, allowing researchers to execute malware in controlled environments to reveal its behavior, communication destinations, and configuration settings. Due to their convenience, a wide variety of both free and commercial sandboxes are available. However, existing sandboxes face three major challenges: limited execution time for malware, inflexible execution environments, and restricted logging capabilities. To address these limitations, we developed a highly functional sandbox that eliminates execution time restrictions, allows for flexible configuration of execution environments, and provides real-time comprehensive logging. This sandbox is currently in operation at over 50 Japanese companies.
We have been operating this sandbox with improvements, and now we need to evaluate whether these functions are effective. Therefore, we evaluated our sandbox from two perspectives:
- Can we observe the activity of the attacker behind malware?
- Is the observed activity unobservable by existing sandboxes?
A remote access trojan (RAT), which can control an attacker-infected machine, was appropriate for this evaluation.
We conducted an analysis using RATs collected over a six-month period in our sandbox. As a result, we were able to observe four types of attacker activity through the RATs. We also found that these activities occurred more than an hour after the RAT had connected to the command and control (C2) server. These activities are impossible to observe with existing sandboxes. Finally, we discussed how to improve and operate our sandbox based on these results in the future.
