Hackers abuse single bit change in Intel CPU register to evade detection

Palo Alto Networks discovers that Trap Flag is being abused to notify malware it is being analyzed

Security researchers have discovered a specific single bit (Trap Flag) in the Intel CPU register that malware can abuse to evade sandbox detection.

According to researchers at Palo Alto Networks’ Unit 42 threat research group, malware can detect whether it is executing in a physical or virtual machine (VM) by monitoring the response of the CPU after setting this single bit.

Malware usually avoids detection by checking if it is being run in a virtualized “sandbox” environment set up to safely analyze potential malware. When the malware finds out it is executing in a virtual machine, it will terminate its execution or provide fake outputs to hide its real intentions.

In this instance, to detect VM use in a sandbox, malware could check the CPU’s behavior after enabling the trap flag. This is the eighth single bit in the EFLAGs register of the Intel x86 CPU architecture. 

If the trap flag is enabled before a single instruction is executed, the CPU will raise an exception (single-step mode) after the instruction is completed. This exception stops the CPU execution to allow the exception handler to examine the contents of the registers and memory location. Before allowing code execution to continue, the CPU must also clear the trap flag.

“To determine whether a VM is used, malware can check whether the single-step exception was delivered to the correct CPU instruction, after executing specific instructions (e.g. CPUID, RDTSC, IN) that cause the VM to exit with the TF enabled. During VM exits, the hypervisor – also known as Virtual Machine Monitor (VMM) – will emulate the effects of the physical CPU it encounters,” said researchers.

Researchers also said there was an ongoing cat-and-mouse game between malware authors crafting evasion techniques to prevent effective analysis and sandbox authors researching novel ways to defeat those evasions.

Related Resource

2021 IBM Security X-Force Insider Threat Report

Top discovery methods and recommendations for insider attacks

White background with a black border on side - whitepaper from IBMFree download

“This is one of the main drivers that led us at Palo Alto Networks to build our own custom hypervisor for malware analysis. Since we have full control over the software stack, including the virtualization layer, we can react to new and emerging threats,” said researchers. 

“In this particular case, once we had identified the issue with the incorrect emulation of the trap flag, our hypervisor team was able to test and deploy a fix.”

Researchers have since been able to fix this evasion problem for any malware sample by deploying this technique.

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

Ransomware hackers break off from Babuk to join a new group
ransomware

Ransomware hackers break off from Babuk to join a new group

9 Sep 2021
Evaluating S/4HANA and RISE as part of your digital transformation journey
Whitepaper

Evaluating S/4HANA and RISE as part of your digital transformation journey

8 Sep 2021
Extend SAP with AWS Analytics, AI/ML, and IoT Services
Whitepaper

Extend SAP with AWS Analytics, AI/ML, and IoT Services

8 Sep 2021
Ragnar Locker vows to leak data if victim contacts the police
ransomware

Ragnar Locker vows to leak data if victim contacts the police

7 Sep 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Apple patches zero-day flaw abused by infamous NSO exploit
exploits

Apple patches zero-day flaw abused by infamous NSO exploit

14 Sep 2021
Google takes down map showing homes of 111,000 Guntrader customers
data breaches

Google takes down map showing homes of 111,000 Guntrader customers

2 Sep 2021