Not every evasion technique needs to be fancy. Some are so simple they’re almost… elegant. That’s the case with the Russian RomCom group, who’ve been running with a registry check that feels almost too obvious to work — and yet it does.
Before the Payload, a Quick Reality Check
RomCom’s initial downloader doesn’t rush to pull down second-stage malware. Instead, it pauses to ask: “Am I really on a victim’s machine, or am I trapped inside some analyst’s sandbox?”
The way it answers this question is by poking at a very ordinary spot in the Windows Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
The Recent Documents as it appears from its name Petrac records the number and types of files opened by the user. If the downloader finds that it has less than a certain number (in 2024 it was 100, and from a month it was downloaded to 69), then it will be understood that this is not a normal user device (because it doesn't open files!), but a sandbox, and it is locked without completing the download of the rest of the malware.
Why It Works
-
It’s dirt simple. No advanced code injection, no kernel gymnastics. Just reading a registry value.
-
It blends in. A single registry check doesn’t set off many alarms.
-
It nails the target. Most sandboxes don’t bother faking user behavior at the level of “open 100 random files.”
And that’s the beauty of it.
The Takeaway
RomCom is a reminder that adversaries don’t always need to reinvent the wheel. Sometimes, the most effective anti-analysis check is hiding in plain sight, built around the fact that humans use their machines very differently than sandboxes do.
For defenders and sandbox builders: if your environment doesn’t look “lived in,” you’re going to miss tricks like this.
Reference articles:
https://unit42.paloaltonetworks.com/snipbot-romcom-malware-variant/
Post by
No comments:
Post a Comment