SN 1023: Preventing Windows Sandbox Abuse - Microsoft Says "Don't Delete This Folder" - podcast episode cover

SN 1023: Preventing Windows Sandbox Abuse - Microsoft Says "Don't Delete This Folder"

Security Now (Audio)
Apr 30, 20252 hr 45 minEp. 1023
--:--
--:--
Listen in podcast apps:
Metacast
Spotify
Youtube
RSS

Episode description

  • Why did a mysterious empty "inetpub" directory appear after April's Patch Tuesday?
  • And what new Windows Update crashing hack did this also create?
  • North Korea is now creating fake US companies to lure would-be employees.
  • The "Inception" attack subverts all GPT conversational AIs.
  • New information about data loss in unpowered SSD mass storage.
  • Lots of terrific feedback from our listeners.
  • How malware has taken to hiding inside the Windows Sandbox and what you can do to stop it

Show Notes - https://www.grc.com/sn/SN-1023-Notes.pdf

Hosts: Steve Gibson and Leo Laporte

Download or subscribe to Security Now at https://twit.tv/shows/security-now.

You can submit a question to Security Now at the GRC Feedback Page.

For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6.

Join Club TWiT for Ad-Free Podcasts!
Support what you love and get ad-free shows, a members-only Discord, and behind-the-scenes access. Join today: https://twit.tv/clubtwit

Sponsors:

Transcript

Primary Navigation Podcasts Club Blog Subscribe Sponsors More… Tech Windows Sandbox Security Vulnerability

May 2nd 2025

AI-created, human-edited.

In a recent episode of Security Now, hosts Steve Gibson and Leo Laporte discussed a concerning security development: threat actors are leveraging Windows Sandbox as a covert hiding place for malware. This sophisticated technique allows malicious software to operate undetected by antivirus solutions, including Windows Defender.

Windows Sandbox is a lightweight desktop environment introduced by Microsoft in December 2018. Available on Windows 10 and 11 (except Home editions), it allows users to safely run applications in isolation without affecting their main system. When closed, all software and files inside the sandbox are deleted, making it ideal for testing unknown applications.

As Gibson noted, Microsoft created an "impressively efficient and economical implementation" of virtualization that "got so many things right." However, this efficiency has now become a potential security liability.

A critical vulnerability exists in the Windows Sandbox design: Windows Defender is disabled by default within the sandbox and cannot be enabled through normal means. While this design choice makes sense for legitimate sandbox use, it creates a perfect hiding spot for malware.

According to the discussion, a Chinese cyber espionage group known as MirrorFace (also called Earth Kasha or APT10) has been actively exploiting Windows Sandbox since 2023. Their technique involves:

Gaining initial access to a systemEnabling Windows SandboxLaunching it silently in the backgroundUsing it as a platform to run malware undetected

What makes this attack particularly concerning is how the malware operators bypass the default behavior of Windows Sandbox, appearing as a window. By using Task Scheduler to launch the sandbox under a different user account, the sandbox interface never appears on the logged-in user's screen.

As Gibson emphasized, Windows Sandbox's lightweight nature means victims won't notice unusual resource consumption that might otherwise alert them to the presence of malware.

This technique appears to be a method first documented by security researcher Lloyd Davies in 2020. Recent enhancements to Windows Sandbox in Windows 11 have made the vulnerability even more exploitable:

The addition of the `WSB.exe` command allows sandbox execution via the command lineSandboxes can now run in the background without user awarenessConfigurations can be set without WSB files, leaving fewer forensic artifactsData persistence has improved, allowing for longer-term attacker operations

Gibson predicts this technique will spread rapidly to other threat actors, with ransomware gangs likely to be early adopters. Some ransomware groups already use similar approaches, installing full virtual machine suites to encrypt files that security tools can't detect.

The clipboard sharing feature of Windows Sandbox creates additional risks, as Gibson compared it to "having a malicious instance of Windows Recall running unseen in the background," potentially capturing sensitive information like cryptocurrency wallet addresses.

Gibson offered several defensive strategies:

Option 1: Disable Virtualization at BIOS/UEFI Level

The most effective protection is disabling Intel VT-X extensions at the firmware level. This prevents all virtualization functionality, including Windows Sandbox. This option works well for users who don't need virtualization for legitimate purposes.

Option 2: Use Windows AppLocker

For those who need virtualization but want to prevent Sandbox abuse:

Configure AppLocker through group policies (enterprise) or local security policyBlock execution of "WindowsSandbox.exe" in the System32 directoryOn Windows 11, also block the "WSB.exe" command

Gibson emphasized that while concerning, this vulnerability requires malware to have access to your system already. "I'm not suggesting that this is the sky is falling," he noted, explaining that existing defenses still function to prevent initial infection.

However, he warned that since bad actors are already installing full virtual machine software on compromised systems, they're "sure going to be trying the Windows Sandbox first" given its built-in availability and efficiency.

This development represents a significant evolution in malware evasion techniques. As virtualization becomes more integrated into operating systems, security professionals must adapt their detection and prevention strategies accordingly.

For everyday users, understanding this risk reinforces the importance of preventing initial malware infection through good security practices, while also considering the specific mitigations Gibson outlined if you don't actively use Windows Sandbox functionality.

Share: Copied! Security Now #1023
Apr 29 2025 - Preventing Windows Sandbox Abuse
Microsoft Says "Don't De… All Tech posts Contact Advertise CC License Privacy Policy Ad Choices TOS Store Twitter Facebook Instgram YouTube Yes, like every site on the Internet, this site uses cookies. So now you know. Learn more Hide Home Schedule Subscribe Club TWiT About Club TWiT FAQ Access Account Members-Only Podcasts Update Payment Method Connect to Discord TWiT Blog Recent Posts Advertise Sponsors Store People About What is TWiT.tv Tickets Developer Program and API Tip jar Partners Contact Us
Transcript source: Provided by creator in RSS feed: download file
For the best experience, listen in Metacast app for iOS or Android
Open in Metacast