The National Police Agency (NPA) and the National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a security advisory regarding an Advanced Persistent Threat (APT) attack campaign targeting organizations in Japan.
The campaign, attributed to a threat actor known as “MirrorFace,” a subgroup operating under the APT10 umbrella, exploited Windows Sandbox and Visual Studio Code to execute malicious activities while evading detection from security tools running on host systems.
The attackers utilized a customized version of the open-source Lilith RAT, dubbed “LilimRAT,” which was specifically designed to operate within Windows Sandbox.
.png
)
This strategic approach allowed the threat actors to maintain persistence on compromised systems while minimizing traces of their activities, as Windows Sandbox provides an isolated virtual environment from the host system.
.webp)
ITOCHU Cyber & Intelligence Inc. researchers noted that the malware contained specific code to verify it was running within Windows Sandbox by checking for the existence of the WDAGUtilityAccount user folder, which is the default user in Windows Sandbox environments.
.webp)
If this folder was not detected, the malware would terminate immediately, as demonstrated in the code:-
39 FileAttributesA = GetFileAttributesA "C:\\Users\\WDAGUtilityAccount")
if ( FileAttributesA != -1 && (FileAttrlbutesA & 0x10) != 0)
{
c_GetModuleFileNameA();
c_WSAStartup();
v29 = 1;
// Additional initialization code
}The attack methodology involved enabling Windows Sandbox on target machines, creating custom WSB configuration files, and executing malware within the isolated environment.
.webp)
Since Windows Sandbox is disabled by default in Windows systems, attackers first had to enable this feature and reboot the compromised system before proceeding with the next stages of their attack.
Attack Technique Details
The threat actors deployed a sophisticated multi-stage attack process. First, they placed three critical files on the compromised host: a batch file, an archiver utility, and an archive containing the malware.
They then created a Windows Sandbox configuration (WSB) file with specific parameters that enabled network connectivity, shared folders between the host and sandbox environment, and executed a command upon logon.
The WSB file configuration included settings to enable networking, map folders between the host and sandbox, and execute the batch file automatically:-
Enable
C:\{Host-side folder}
C:\{Sandbox-side folder}
false
C:\{Sandbox-side folder}\{random}.bat
1024This configuration allowed the malware to operate within the sandbox while maintaining access to files on the host system.
.webp)
Once the attack flow is initiated, the batch file extracted the archive and scheduled tasks to execute the malware.
The malware then established communication with command and control servers through the Tor network to mask its activities.
What made this attack particularly stealthy was that Windows Defender is disabled by default within Windows Sandbox, providing attackers a security-free environment to operate.
Furthermore, when Windows Sandbox is launched via Task Scheduler under SYSTEM privileges, it runs in the background without displaying a window, making detection even more challenging.
Security experts recommend keeping Windows Sandbox disabled unless specifically required, monitoring related processes, restricting administrative privileges, and implementing AppLocker policies to prevent unauthorized execution of Windows Sandbox in enterprise environments.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
