https://threatpost.com/dyre-banking-trojan-jumps-out-of-sandbox/112533
Watch out for more stuff like this in the future. And by "watch out", I mean implement more bandwidth-throttling security solutions on the internal network.
"We need to have 10G throughput to and from the data center!"
"Sure, I'll make sure the hackers have 10G throughput to and from the data center as they rob us blind. I'll just turn off the firewall and IPS. You got it."
That's pretty neat actually, checking for the number of cores. Wonder if Palo Alto's Wildfire sandboxes also run on one core. I suppose they can easily fix this by using multicore sandboxes
Wildfire runs on the cloud (yes there is a dedicated hardware appliance you can buy but would cost more $).
Sandboxes are pretty clearly an arms race, as hackers learn to detect them and sandbox providers learn to countermeasure the detection.
Note that in this case, they don't actually have to be multicore systems, but they simply need to claim to be.
Similar to the time-bomb stuff they were doing. Sandboxes came along, then malware started sleeping for x minutes/hours before detonating, then sandboxes started accelerating time, and then malware started doing nontrivial calculations to pass the time instead of sleeping. I'm not sure how the sandboxes are getting around that, but my understanding is that they are.