{
	"id": "61f7cdab-521c-49dc-874f-a6fb6999f9a1",
	"created_at": "2026-04-06T00:08:10.481469Z",
	"updated_at": "2026-04-10T03:21:49.595009Z",
	"deleted_at": null,
	"sha1_hash": "7140662e65daac6cc09cfc8f489501f25c0c5323",
	"title": "Nitol Botnet makes a resurgence with evasive sandbox analysis technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 213638,
	"plain_text": "Nitol Botnet makes a resurgence with evasive sandbox analysis\r\ntechnique\r\nBy Amit Malik\r\nPublished: 2016-10-14 · Archived: 2026-04-05 16:28:34 UTC\r\nTags\r\nCloud Best Practices\r\nCloud Malware\r\nCloud Security\r\nEvasive Malware\r\nNetskope Threat Research Labs\r\nNitol\r\nOffice Macro\r\nTools and Tips\r\nIntroduction\r\nNetskope Threat Research Labs recently observed a strain of macro-based malware that use fairly smart\r\ntechniques to bypass malware sandbox analysis. The macro code is obfuscated and uses a multi-stage attack\r\nmethodology to compromise the endpoint machines. Netskope Active Threat Protection detects and mitigates this\r\nmacro-based malware as W97m.Downloader.\r\nBypass the Malware Sandbox Analysis  \r\nAlthough bypassing sandbox analysis is not new for malware, this strain of malware uses a novel technique to\r\nbypass analysis. Specifically, the malicious macro-based documents we observed use two methods to bypass\r\nsandbox analysis.\r\nPassword Protection: The documents that we have observed are password protected, thus bypassing the\r\nsandbox entirely. The process to enter the password is a complex user interaction event, so it is difficult for\r\nautomated analysis technologies (like a sandbox) to emulate this event. Figure 1 shows a password prompt\r\nwhile opening one such malicious macro based document.\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 1 of 11\n\nFigure 1.  Password prompt while opening a protected malicious document\r\nDelayed Execution: Typical malware use instructions such as sleep or other methods like stalling “for\r\nloops” or date and time checks to delay the execution in a sandbox, effectively bypassing the analysis. In\r\ncase of these macro-based malware documents, we have observed that they use the “ping” utility to delay\r\nthe execution. The malware invokes the command “ping 8.8.8.8 -n 250” and waits for the ping process to\r\ncomplete the execution. This typically takes a long time to complete (sometimes as long as approximately\r\n5 minutes) and in most cases is enough to bypass the sandbox analysis since they sandboxes are typically\r\nconfigured with a smaller time threshold for executing samples. The ping command has long been used,\r\nmostly to ensure the connectivity to the Internet. In this case, however, the use of the ping command to\r\ndelay the execution of a sample is novel. Figure 2 shows the snapshot from the process explorer indicating\r\nthe ping command being invoked by the execution of a malicious document.\r\nFigure 2: Sample using ping command for delayed execution\r\nMalicious Document Execution Analysis\r\nAnalysis of vbscript\r\nThe macro code in the malicious document drops and executes a vbscript (vbs) file as shown in Figure 2. The\r\ndropped vbscript file is responsible for downloading and executing the second stage payload. The vbscript file was\r\nobfuscated and for the purpose of demonstration in this blog  we will use debug feature of the vbscript editor to\r\ndeobfuscate the file content.\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 2 of 11\n\nFigure 3:  Vbscript deobfuscation using vbscript editor\r\nAs shown in Figure 3, the vbscript file launches the “ping” utility to delay the execution and after that connects to\r\n“https://doktrine.fr/mg.txt” domain to download the second stage payload. The vbscript then saves the\r\ndownloaded payload to the disk with a “.qsb” extension.\r\nThe payload in “.qsb” file is xor encoded. The vbscript will decode the “.qsb” file and write the content to another\r\nfile with “.fyn” extension and execute the file. Figure 4 and Figure 5 show the “.qsb” decoding routine and the\r\nexecution of the “.fyn” file.\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 3 of 11\n\nFigure 4: “.qsb” file decoding routine\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 4 of 11\n\nFigure 5: Executing “.fyn” file\r\nAnalysis of .fyn (PE) file\r\nThe file with the “.fyn” is a Windows-executable file. As shown in the Figure 6 the execution started in the code\r\nsection and then jumped to the marked region. The density of the API calls is higher in the region indicating the\r\nexecution of the unpacked code.  \r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 5 of 11\n\nFigure 6: Distribution of API calls in the process address space\r\nAs shown in Figure 7, there is a region of the code which is checking if the execution environment is VMware\r\nusing the process enumeration.\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 6 of 11\n\nFigure 7: Code checking for VMware execution environment\r\nThe code also checks for active debugging using GetTickCount. After these checks the code will search for default\r\nbrowser in http//shell/open//command registry. After that, it will create a browser process in suspended mode and\r\nthen it will unmap and write the browser process memory with a upx compressed file as shown in Figure 8 and\r\nFigure 9 respectively.\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 7 of 11\n\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 8 of 11\n\nFigure 8: Create Process in suspended mode\r\nFigure 9: Write the browser process memory with upx compressed file.\r\nAnalysis of UPX compressed file (Nitol Botnet)\r\nThe UPX compressed file is a nitol botnet binary. Nitol is a very old botnet and its C\u0026C server domains are\r\ncurrently sinkholed. During our analysis, the binary tried to connect to d.googlex.me which is currently not active.\r\nIt is interesting to note that the same domain was referenced as a C\u0026C server in a blog published by McAfee in\r\nFebruary 2016 on the Hydracrypt ransoware.\r\nIt is currently not clear if the attackers are using Nitol binaries as a placeholder for the future threats or if they are\r\ntesting a new attack methodology.\r\nNetskope Detection \u0026 Remediation\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 9 of 11\n\nNetskope Active Threat Protection detects these malicious macro based documents as W97m.Downloader.\r\nCustomers who have deployed the Netskope Active Platform and Netskope Introspection can set the respective\r\nmalware \u0026 threat detection policies to detect and remediate against this malware.\r\nIOC\r\n1. 5866c53bd16a15d88f51415fde254b8edac9bc22495ad3ac2f12f5e5ef025923\r\n2. 4d977327390a13a2660da4f65872810245b57b34d990c22c547410fe3b7f3511\r\n3. e88f5c562bb894e452c88ac1c8f4fa2aea9e14275ca5a2e25655cb95491cc37f\r\n4. 2e42ca6c471ef2894ea407d482b0b6419afbd2e550a8688932064caabd48dfb6\r\n5. d76cf03299107defbb6270bbe0118aa2ceaa1197d7a0499bdb869ed02401b756\r\n6. e65b5b57f3dd913e24bb65bfb7f0a9f60fb53f2b12460b537d6b21a6d5a14eb8\r\n7. b14f8b2b8b82267be787b4b844a17554e5b6fa34ea0af197176c29dcbba60b52 (.qsb)\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 10 of 11\n\n8. 5041bf99f3010fd88ec0a37557cb2ee51aba5cb49fac5bb0aec120f2cc893128 (.fyn)\r\nSource: https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nhttps://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
	],
	"report_names": [
		"nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique"
	],
	"threat_actors": [],
	"ts_created_at": 1775434090,
	"ts_updated_at": 1775791309,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7140662e65daac6cc09cfc8f489501f25c0c5323.pdf",
		"text": "https://archive.orkl.eu/7140662e65daac6cc09cfc8f489501f25c0c5323.txt",
		"img": "https://archive.orkl.eu/7140662e65daac6cc09cfc8f489501f25c0c5323.jpg"
	}
}