Last July at Black Hat and DEFCON, Itzik Kotler and Amit Klein took us on the “Adventures of AV and the Leaky Sandbox”. The technique demonstrated in “Adventures of AV and the Leaky Sandbox” takes place in a highly restricted and segmented network, where Kotler and Klein showed how attackers can make use of cloud AV solutions and sandbox services in order to exfiltrate data.

Two crucial components were defined in the original Leaky Sandbox research-- the rocket, and the satellite. The rocket is the initial malware that generates the satellite from a predefined template. The satellite is a piece of code, initiated by the rocket to trigger an AV product.

Our latest SafeBreach Labs research takes advantage of the same techniques, but instead, uses online sandbox services as a means for exfiltration. One specific outcome that can result from triggering an AV product, is uploading the satellite to a sandbox service such as VirusTotal, Hybrid Analysis etc. In our latest research, we take advantage of this flow to exfiltrate the desired data, that was previously embedded into the satellite. Unlike the “Adventures of AV and the Leaky Sandbox”, we don’t require the satellite to actively communicate out of the sandbox ; instead, we use the sandbox service database itself as an intermediary for transferring data.

The exfiltration as a whole consists of two main objectives: incorporating the desired data (to be exfiltrated) into the satellite, and retrieving it by querying the sandbox service’s databases.

Our research essentially demontrates that online sandboxing services that allow both upload and search capabilities may be used as a means for data exfiltration. The database for these services is an intermediary for transferring hidden data from a source machine to an attacker who is looking for the expected data. Many permutations of this exfiltration model may be created - each features a different stealth level, ease of implementation, accuracy, capacity etc. However, note that this new research angle, i.e. using online sandbox services as a means for exfiltration, is only practical for attackers that have technical knowledge about their target network.

We tested and validated that our technique was successful using the Google Virus Total and services. For more complete details about our research, download the complete research paper here. Note that despite numerous attempts to disclose our research results to both Google and Crowdstrike (which acquired Payload Services, the owner of the Hybrid Analysis service), we did not receive any responses from either company.

Companies using online sandboxing services today should understand that sharing suspicious/malicious files can facilitate exfiltration, unless the file has arrived from outside the enterprise and is unmodified. The SafeBreach Labs guidance is to verify that the file is not exclusive to your network (bitwise comparison), before uploading it to an online sandbox service, and in general, to any public service that shares user content.

The short rule: If it came from the internet - it is safe to upload it back to the internet!

Subscribe to blog post