How the New Upatre Variant Evades Dynamic Sandboxes

Since sandbox technology was introduced to contain malware, attackers have continuously developed sandbox‑evasion methods. Researchers at NSFOCUS discovered that a new Upatre Trojan variant employs two straightforward techniques to avoid detection by dynamic sandbox engines.

Upatre Sandbox‑Evasion Techniques

The variant shows a low detection rate on VirusTotal, indicating that modern malware can increasingly evade antivirus products.

1. Checking System Uptime

Dynamic analysis platforms typically install a fresh OS image and run the sample shortly after boot, often within ten minutes. The Upatre sample calls GetTickCount to obtain the number of milliseconds since system start. If the uptime is less than 12 minutes (approximately 720,600 ms), the malware terminates without executing malicious behavior.

2. Monitoring Mouse Position

The second technique exploits the fact that most automated sandbox environments run without human interaction. The sample checks whether the mouse cursor moves; if the position remains static, it assumes it is inside a sandbox and refrains from malicious actions. Any mouse movement causes the loop to exit and the payload to continue.

Conclusion

The latest Upatre samples demonstrate a clear evolution in anti‑sandbox tactics, moving beyond classic checks like IsDebuggerPresent to more nuanced methods such as CPU core count and PEB inspection. As sandbox‑evasion techniques become more sophisticated, defensive tools must adapt rapidly to keep pace.