Think Inside the Box: In-the-Wild Abuse of Windows Sandbox in Targeted Attacks

Windows Sandbox is a lightweight virtualization mechanism introduced in 2018, designed to provide an isolated desktop environment for quickly testing suspicious applications. However, this feature can also serve as a “magic cloak” for adversaries.

In 2024, we observed an abuse of Windows Sandbox by the APT group Earth Kasha, believed to operate under the APT10 umbrella. After gaining control of the target machine via a backdoor named “ANEL,” delivered through a spear-phishing email, the adversary uploaded multiple components to deploy a secondary payload, dubbed “NOOPDOOR,” within Windows Sandbox. Initially, the adversary configured Windows Sandbox using a .wsb file to enable network access and map a host folder to a folder within the Sandbox, allowing access to host files from within the Sandbox. Next, they executed an installer script to extract NOOPDOOR components from a password-protected WinRAR archive and launched it inside the Sandbox. Additionally, the adversary leveraged the TOR application to obscure backdoor traffic originating from the Sandbox. These techniques helped the adversary conceal malicious activity from host-based EPP and EDR solutions.

This presentation will cover the fundamentals of Windows Sandbox, provide a detailed analysis of the TTPs used for defensive evasion, and discuss actionable countermeasures for prevention and threat hunting.

By:
Hiroaki Hara | Senior Threat Researcher, Trend Micro

Full Abstract and Presentation Materials Available:
https://www.blackhat.com/asia-25/briefings/schedule/#think-inside-the-box-in-the-wild-abuse-of-windows-sandbox-in-targeted-attacks-44095Black HatRead More