There’s no single solution for detecting and defeating increasingly evasive malware.
Malware authors have become practiced at the art of deception, leveraging a multitude of techniques to disguise malicious payloads from conventional network security measures. The spread of evasive malware that can mutate and alter characteristics to avoid detection has reached epidemic proportions, according to researchers.
More than two-thirds of malware infections detected in Q4 2021 were delivered via encrypted connections and 78 percent of those were evasive threats, according to WatchGuard Technologies’ most recent quarterly Internet Security Report. Evasive malware can change its identifiable features to elude traditional signature-based defenses designed to search for specific characteristics of known malware strains.
“Evasive malware rates have actually eclipsed those of traditional threats, which is yet another sign that organizations need to evolve their defenses to stay ahead of increasingly sophisticated threat actors,” said Corey Nachreiner, chief security officer at WatchGuard. “Traditional anti-malware solutions alone are simply insufficient for today’s threat environment.”
The Return of Emotet
One particular strain of evasive malware is on the rise again. Researchers say Emotet, which has been called the “most dangerous malware in the world,” is experiencing a pronounced resurgence just a year after an international collective of law enforcement agencies took down a massive botnet responsible for its spread.
In March, Check Point researchers said Emotet was once again the world’s most widely deployed malware, impacting as much as 10 percent of all organizations worldwide. Typically spread via phishing emails, the malware establishes a backdoor that hackers can use to load ransomware, trojans and bot recruiters.
Emotet is considered a type of polymorphic malware, capable of continually changing its codebase to avoid detection. The malware alters its signature by changing characteristics such as file names and encryption keys, making it undetectable by pattern-matching solutions. Some studies suggest that more than 90 percent of all malware today may be polymorphic.
Multiple Evasive Techniques
Polymorphism is just one of the many methods hackers use to disguise their attacks. Researchers say that nearly all new malware instances use at least one evasive tactic — with up to a third considered “hyper-evasive” threats using multiple techniques. Common tactics include:
- Code injection. With this technique, hackers camouflage malware by injecting malicious code into legitimate software. Code injection is often used to exploit input validation errors commonly found in web applications.
- Code obfuscation / morphing. Hackers can make code virtually unreadable by using an algorithm to hide character strings, including registry keys and infected URLs. The characters are then decoded when the code is executed.
- File binding. File-binding software joins multiple files into a single executable. Although it has legitimate purposes, hackers use it to insert malicious programs into otherwise harmless files. This technique doesn’t usually arouse suspicion because the original file remains unmodified.
- Macro viruses. A macro is a series of commands or instructions embedded in software to automate some tasks. Hackers can replace legitimate macros with viruses that are launched when the file is opened. Macro viruses are often used to disguise downloaders that install malware for harvesting credentials.
- Malicious cryptography. Encryption is designed to keep data private. Hackers exploit the technology, using stolen or forged SSL certificates to encrypt malware and evade detection by firewalls and intrusion detection systems. Analysts say about half of all malware worldwide is now encrypted.
- Stegosploit. This is the malicious use of steganography to conceal malware within an image file. It is virtually undetectable by antivirus because it would require scanning every byte within a digital image, which would be an incredibly compute-intensive task.
Fighting Back
Sandbox analysis remains a useful defense against evasive malware. Suspicious files are uploaded to an isolated virtual machine or a cloud-based sandbox that emulates a physical endpoint with a full-featured operating system. There, the file is executed to see how it behaves and to identify its unique characteristics.
Network segmentation is another good defensive measure. By breaking the network up into smaller, isolated parts, segmentation can prevent a malware infection from spreading throughout the network.
Extended detection and response (XDR) solutions can dramatically improve the detection of evasive threats. XDR solutions use advanced automation and analytics capabilities to continuously collect, correlate and analyze data from multiple network devices and sensors to identify suspicious characteristics that might indicate malicious activity. Over time, machine learning algorithms help build the threat intelligence necessary to actively hunt for threats and disrupt them in advance of an attack.
Evasive malware now accounts for more than three-quarters of cyber threats. Organizations can no longer rely on signature-based detection alone. They need advanced solutions to protect their IT environments against these stealth attacks.
