Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Evasive Malware Now a Commodity

I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me.

I’ve been deconstructing malware for over 20 years, and it turns out I’ve chosen a profession where it’s hard to feel in a rut — so much of what is happening with malware continues to feel dramatic and new to me. There’s always the latest malware inventiveness – “fileless” malware and cryptocurrency mining bots leap to mind at the moment – but more on my mind this week is the rise of the malware marketplace and the continued increase in “hyper-evasive” malware across the board.  

Total annual malware volumes are up 7x globally over the last five years according to data from AV-Test.org, which means internet users and businesses are witnessing a rising flood of maliciousness in their email and web interactions. My principle observation today is that this is being matched by an increase in the number of techniques, on average, being incorporated into malware today in order to evade detection by traditional detection systems by hiding the distribution source and the malicious intent of the code.

Malware Evasion TechniquesOne-third of Malware is “Hyper-Evasive”

Just how evasive is malware today? To get at this systematically, my team just concluded a study of malware sent to our cloud sandbox array during the first quarter of this year. Such malware has passed through several prior stages of automated analysis, and has still not been definitively categorized as benign or malicious. We discovered that over 98 percent of malware making it to the sandbox array uses at least one evasive tactic, and that 32 percent of malware samples making it to this stage were what we could classify as “hyper-evasive,” layering on six or more detection evasion techniques.

Historically, some malware uses multiples of that number, like Cerber ransomware, which is extremely “sandbox aware” and runs 28 processes to check if it is really running in a target environment, refusing to detonate if it finds debuggers installed to detect malware, the presence of virtual machines (a basic “tell” for traditional sandboxes), or loaded modules, file paths, etc., known to be used by different traditional sandboxing vendors. 

Malware That Fools a Single Sandbox

Another key statistic that came out of our research is that 27% of the malware caught in our sandbox array evades detection when subjected to analysis by a single sandbox. Such malware’s true nature is only discovered after executing it in two or more different sandboxing environments, changing variables such as the OS or the browser, or even switching to a “sandbox-less” physical machine. Besides the use of multiple evasive tactics, other defining characteristics for such hyper-evasive malware include the fact that it originates from “unknown” sources or from code lodged in compromised, trusted sites, and the fact that it rarely contains obviously suspicious code.   

Malware Service Industry Will Drive Growth

The rise of the malware service industry (I’ll resist calling it the more fashionable “MaaS”) is a factor in this increasing average level of sophistication and contributes to increasing volumes as well. It has dropped the barriers-to-entry for would-be hackers over the past couple of years, a trend I see accelerating in the future. 

We are witnessing the growth of a malware marketplace where any person with bad intentions and a few cryptonickels to rub together can click through user-friendly, do-it-yourself sites on the dark web and quickly build and download a customized ransomware package, as one example. Other sites specialize in incorporating obfuscation techniques for any software you may have developed or acquired elsewhere. One I’m looking at right now has boxes I can check to include up to 27 different evasion techniques, providing options such as delayed execution, extension spoofers, fake junk code, and the choice of nine different encryption algorithms. 

There was a time when sophisticated evasion required you to be a talented (albeit misguided) programmer with networking chops – now you can pull together everything needed in an afternoon without any specialized technical knowledge. I believe this easing of entry into the “business” will also contribute to more micro-targeting in the distribution of attacks, as the low cost and ease of development of malware means an adequate return might be had by attacking smaller and smaller groups.

Application sandboxing began to develop during the 1990s as a key response to polymorphic malware. Twenty years later, the mouse has evolved, and we need to leap ahead to a better mousetrap, out-automating the malware marketplace.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.