Malware authors are evolving as quickly as the AV and security vendors are. Here are some examples of how evasive techniques were implemented in attacks that hit the headlines.
If you’ve been following industry news, many recent highlighted malware infections talk about the impact of a malware infection, but do little to detail why these attacks are successful. While a portion of malware is stopped by AV and next gen AV solutions, cybercriminals are turning to the art of evasion to ensure infection. Even non-evasive malware, in general, is already a tough target to address:
- Malware is Rarely the Same Twice – According to a joint report from BT and KPMG, 99% of malware is used for under one minute before the sample is changed to evade security software. This means nearly every piece of malware is unique, making it extremely difficult for legacy AV solutions to detect.
- It’s Readily Available – With the convenience of malware-as-a-service (where you can purchase everything from malware components to malware creation and delivery), the ability for anyone to become a malware “author” is just one source in a steep rise in the amount of ransomware present.
But with so many layers of defense in place by organizations, cybercriminals are adding the use of evasive techniques – such as remaining dormant in environments using solutions designed to spot malware, scanning for analysis and debugging tools, and direct memory injection – all in the interest of keeping their malware from being detected.
Take the example of IronGate, a piece of malware designed to attack specific industrial control systems (ICS). When successful, IronGate either shuts down or overloads critical systems, causing damage, while simultaneously updating monitoring systems that nothing is wrong. Because of the targeted and devastating nature of the malware, it’s critical that, like the damage done to an ICS, the infection itself must also go unnoticed.
IronGate uses a number of evasive techniques to avoid being detected:
- It uses six different droppers to install the malware. This is done in order to increase the chances a given AV tool may not recognize a dropper as being malicious.
- It queries the environment looking for virtual environments used to either detonate or observe the malware (specifically, VMware and Cuckoo Sandboxes). Should it identify such an environment, it remains dormant, avoiding detection.
- If able to run, IronGate replaces a valid control system DLL with an altered version that allows IronGate to achieve system persistence (as part of the ICS), while performing a man-in-the-middle attack, sending harmful commands to the ICS and good monitoring data to the monitoring system.
Another more common instance of malware is the ransomware known as Cerber, which successfully bypassed machine learning solutions. To avoid detection, Cerber looks for 28 processes to see if a debugger is installed to detect malware, to confirm the presence of virtual machines, or to identify the presence of a sandbox. Should any of the checks come back positive, Cerber remains dormant, avoiding detection.
Learning from the Examples
While these are only two examples of evasive techniques, they help to make the case that malware authors are evolving as quickly as the AV and security vendors are. With malware evolving to even outwit the almighty machine learning detection within AV solutions, it’s time to learn the lesson that it’s time to rethink your security strategy. Detection alone isn’t going to protect the organization. What’s needed is a layer of defense designed to stop evasive malware from ever running.
Learn more about why you need to update your Anti-Malware strategy by reading the whitepaper Evasive Malware: How and Why your Anti-Malware Strategy Needs to Evolve Beyond AV.