Malware often tries to determine if it’s in a sandbox and if so, performs different functions than when it is on an endpoint system. Malware enters a loop and tries to connect to www.google.com. If the malware connects successfully, it goes on and does bad things. If not, it sleeps and does it again. And again. Good news for sandbox evasion: until the malware successfully connects to Google, there’s no way that you’ll see anything bad. For this (and other) reasons, this malware had really low detection and had no trouble bypassing antivirus.”]
Source: http://malwarejake.blogspot.com/2017/01/novel-malware-sandbox-evasion.html