You’re already keenly aware of the malware threat to your organization – this nasty vehicle by which ransomware, external attacks, and data breaches enter in has become so rampant, you have layers of security in place just to protect your organization against this one means of attack. So, you’ve likely got current or “next-gen” AV, email scanning, and other solutions in place, and yet, malware continues to find its way onto your endpoints, right?

But, even with multiple solutions all working together to detect and eliminate the threat of malware, the question needs to be “why is malware still getting in?” Is it the vendor of the solution you chose? The detection methods? The definitions? Or is it something not found at all by looking at your solutions, but instead at the malware itself?

Malware used to be about bragging rights by the author, but today it’s a software product created by organized crime businesses who seek to profit by either spawning the attacks themselves or by selling malware (or its components) as a service online on the dark web. So, just like any software company, you need to be manufacturing a product that works over time – that is, it needs to be successful in its ability to work as promised in an attack scenario.

Because of this, malware developers have turned over the last number of years to creating evasive malware – malware that, as part of its code, works to avoid detection by the very solutions you employ as part of your defense strategy.

From a 10K-foot view, evasive malware uses a number of techniques to avoid being detected:





Avoids Sandboxes – many AV and Email Gateway solutions use an isolated virtual environment in which to detonate attachments to monitor behavior. Evasive malware checks the environment and, if it believes it exists within a sandbox (by scanning the environment for files, registry keys, and processes), it remains dormant.





Avoids AV and Security Solutions – The lines between AV, “next-gen” AV, endpoint security, messaging gateways, and endpoint detection and response (EDR) blur a bit when you compare security vendors. But, in general, they are all using one or more methods (signature, heuristics, machine learning, AI, behavior, etc.) to identify malware. Evasive malware avoids these types of security solutions using the same scanning techniques as with sandboxes (and remaining dormant), as well as by using memory injection to obfuscate the presence of malware within a “normal” process, avoiding detection entirely.





The lines between AV, “next-gen” AV, endpoint security, messaging gateways, and endpoint detection and response (EDR) blur a bit when you compare security vendors. But, in general, they are all using one or more methods (signature, heuristics, machine learning, AI, behavior, etc.) to identify malware. Evasive malware avoids these types of security solutions using the same scanning techniques as with sandboxes (and remaining dormant), as well as by using memory injection to obfuscate the presence of malware within a “normal” process, avoiding detection entirely. Avoids Analysis Tools – Tools like Wireshark or Process Explorer are used to spot and examine malware, allowing the analyst to identify a signature, pattern, or behavior that can be used against further infection. By scanning the environment for the presence of these tools in memory, evasive malware can remain dormant and avoid detection.

There’s another piece of the evasion puzzle that should be noted that aids evasive malware from being detected. It’s the fact that the developers of malware are completely aware of the tools used to detect, analyze, and debug them. So, during development, malware can be tested on an isolated instance of any of the solutions available. While no malware developer has the time to test their code against every single security product on the market, the monetary reward found in a successful ransom or data breach can make it worthwhile to test against the major players to give their malware the upper hand.



You Can’t Catch What You Can’t See

In short, evasive malware is paranoid – it doesn’t want to be seen, found, noticed, or documented. So, by using techniques such as checking the environment, avoiding launch when in a hostile environment, and injecting code directly into memory, evasive malware avoids being detected. This makes it one of the most dangerous tactics used today.

Even with a layered approach using some of the solutions mentioned in this blog, because they are designed to detect malware simply coded to focus on infection, evasive malware has the added potential to slip by. What’s needed is an additional layer of protection designed specifically to address evasive malware. So, rather than catching this “invisible” form of malware, these solutions simply aim to neutralize evasive malware’s ability to run at all.

Learn more about why you need to update your Anti-Malware strategy by reading the whitepaper Evasive Malware: How and Why your Anti-Malware Strategy Needs to Evolve Beyond AV.

Want to hear more about Minerva Labs' Anti-Evasion Platform? Contact us for a demo!