The campaign, attributed to a threat actor known as “MirrorFace,” a subgroup operating under the APT10 umbrella, exploited Windows Sandbox and Visual Studio Code to execute malicious activities while evading detection from security tools running on host systems. This strategic approach allowed the threat actors to maintain persistence on compromised systems while minimizing traces of their activities, as Windows Sandbox provides an isolated virtual environment from the host system. The attack methodology involved enabling Windows Sandbox on target machines, creating custom WSB configuration files, and executing malware within the isolated environment. Since Windows Sandbox is disabled by default in Windows systems, attackers first had to enable this feature and reboot the compromised system before proceeding with the next stages of their attack. Security experts recommend keeping Windows Sandbox disabled unless specifically required, monitoring related processes, restricting administrative privileges, and implementing AppLocker policies to prevent unauthorized execution of Windows Sandbox in enterprise environments. They then created a Windows Sandbox configuration (WSB) file with specific parameters that enabled network connectivity, shared folders between the host and sandbox environment, and executed a command upon logon. researchers noted that the malware contained specific code to verify it was running within Windows Sandbox by checking for the existence of the WDAGUtilityAccount user folder, which is the default user in Windows Sandbox environments. What made this attack particularly stealthy was that Windows Defender is disabled by default within Windows Sandbox, providing attackers a security-free environment to operate. The attackers utilized a customized version of the open-source Lilith RAT, dubbed “LilimRAT,” which was specifically designed to operate within Windows Sandbox. Furthermore, when Windows Sandbox is launched via Task Scheduler under SYSTEM privileges, it runs in the background without displaying a window, making detection even more challenging. This configuration allowed the malware to operate within the sandbox while maintaining access to files on the host system. The National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a security advisory regarding an Advanced Persistent Threat (APT) attack campaign targeting organizations in Japan.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 12 Mar 2025 15:15:26 +0000