End of the year is a great opportunity to reflect upon the key trends that have shaped 2017 and set the direction for the upcoming year. Minerva Labs undertook extensive research into malware trends that dominated in 2017. Here is our list of endpoint security and malware concerns to pay special attention to going forward.

2017 will go down in history as the year of massive ransomware outbreaks, NSA state-grade exploit leaks, and an extraordinary number of cybersecurity meltdowns, including the Equifax and Yahoo disasters. With worldwide NotPetya, WannaCry, and Spora infections, 2017 proved that threat actors still manage to stay ahead of even the largest organizations.

Despite the progress we see in endpoint security solutions and the deployment of multi-layered security approaches, adversaries still successfully get around existing defenses by utilizing sophisticated exploits and anti-malware evasion techniques.

Our research confirms that the malware families prevalent in 2017, including popular exploit kits and ransomware, employed at least one evasion technique to penetrate defenses. Malware will continue to evolve and adversaries will keep developing new evasion techniques, partly in response to the ongoing improvements in endpoint security.

2017 was the year that threat actors increasingly turned to evasive malware in order to facilitate malicious gains. With the right approach that focuses on defensive layers that fill in the gaps rather than overlap with existing solutions, 2018 can be the year that the enterprise hits back. Let’s take a look at four trends that clearly stood out in 2017 and are likely to dominate 2018.

1. Commoditization of NSA Exploit Leaks

It is clear that the use of powerful techniques to bypass enterprise defenses are no longer limited to advanced adversaries. The NSA hacking tools leaked by Shadow Brokers made it possible to rapidly distribute malicious software and target enterprise grade defenses even without having an in-depth understanding of exploit development. Since the release, there was a spike in commodity malware utilizing ETERNALBLUE/DOUBLEPULSAR and ETERNALROMANCE, including well-publicized ransomware outbreaks such as WannaCry and NotPetya, as well as the lesser known Adylkuzz Cryptominer.

Similarly, techniques for crafting evasive malware that at some point were beyond the reach of all but the most sophisticated attackers, are becoming increasingly commoditized, with custom and open source tools made widely available on hacker forums and cyber-crime communities. In 2018, we expect to see even more commoditization of attack tactics, as threat actors are looking for new ways to increase their revenue streams.

2. The Rise of Evasive Malware

Evasive malware is one way for the attacker to get around security tools to infect endpoints. Minerva Labs has carried out extensive research into common forms of malware families that wrecked chaos across the globe in 2017, including popular exploit kits and ransomware, discovering that many malicious programs employ at least one evasion technique to bypass security measures.


  • Evasion in exploit kits which target vulnerabilities in client-side software, remained an effective attack vector in 2017. In fact, according to our research, exploit kits were among the most common ways of spreading ransomware this year. More than 60% of exploit kits employed evasive techniques to avoid detection, a trend that is likely to continue.
  • Of the entire attack chain, 99% of campaigns used evasion in either the exploit kit or payload phase.
  • Evasive ransomware campaigns spreading popular ransomware families including Locky, Spora, TeslaCrypt, Cryptomix, and JigSaw deployed at least one evasive tactic.

Sophisticated exploits and malware evasion techniques will continue to gain traction among cyber attackers, as sophisticated endpoint security products and technologies force them to find new ways to bypass enterprise defenses.

3. Malware Vaccination

Malware vaccination is one way to stop malware that attempts to bypass other security tools through evasion. Many malware types are designed to avoid infecting an endpoint more than once by leaving behind infection markers on the affected systems. A marker could be an artifact such as a specific registry key, a file, or a mutex object.

Malware vaccination works by generating infection markers on endpoints, so that corresponding malicious programs will not execute. While the concept of vaccination is not new, organizations will be paying more attention to it in 2018, due to the broader availability of tools that make it possible to effectively deploy vaccines at an enterprise scale.

Modern vaccination technologies allow to swiftly vaccinate extended endpoints against threats like Spora, Wannacry, NotPetya, and other malware infections yet to come. Banking Trojans like Retefe, which uses sophisticated evasion techniques to avoid detection, can be tackled with malware vaccination. Vaccination is not a silver bullet for preventing malware attacks, but it is definitely a must-have weapon in the security toolkit of 2018. Minerva Labs recently released Mystique, an open-source tool that extracts mutex-based infection markers for vaccination purposes.

4. The Cryptomining ‘Gold Rush’

As 2017 comes to an end, we begin to see a new tactic cyber-attackers use to monetize malware, known as “malicious cryptomining”, a technique that takes advantage of the ever increasing popularity of cryptocurrencies.

The mining of cryptocurrencies requires resources such as computing power and electricity, and with time has also become more computationally intensive. This is where malicious cryptomining comes into play.

Malicious cryptomining involves running cryptomining software on victims’ systems without their explicit permission. Sometimes such techniques utilize JavaScript code, running in the person’s browser. Sometimes cryptomining code is included in malicious software that runs on the victim’s system outside the browser. These malicious tools mine cryptocurrencies like Ethereum and Monero on behalf of the intruder on the endpoint, effectively hijacking the computer for the attackers’ gain. The affected endpoint significantly slows down, to the point where it often becomes unusable, at the same time consuming a significant amount of energy.

Malicious cryptomining is a rapidly evolving trend that is likely to grow in 2018, as threat actors look for new revenue paths. We also expect that these threat actors will begin incorporating evasion techniques into their creations, in order to bypass baseline anti-malware tools and support this new source of revenue for the criminals. In our end of the year report, we cover in detail a cryptocurrency mining campaign known as ‘WaterMiner’ which uses evasive techniques to avoid endpoint security tools.

To dive into the trends we noted this past year and what we predict will define 2018, download our research paper: 2017 Year in Review.