At this point in our industry’s history, pretty much every IT professional is very aware of the need for a security strategy that not only protects against current threats, but one that’s also futureproof – IT organizations just like yours are looking to ensure that they are ready when the “next big thing” in attack methodologies hits.
Advances have been made over the years by security vendors seeking to stop malware – the shift from purely signature-based detection, to machine learning, to leveraging the cloud to provide up-to-the-minute updates to many endpoints on malware found anywhere in the wild. All these advances have improved the security stance of organizations, but cyber-criminal organizations have made advances of their own.
In 2017, the industry saw an increase in the number of malware variants using at least one evasive technique – these techniques focus on ensuring the malware itself evades detection, allowing it to either infect the machine, or lie dormant waiting for another opportunity to infect. In our 2017 Malware Year in Review Report, Minerva Labs analyzed the exploit kits and payload combinations seen in the wild and found that 86% of the exploit kits and 85% of the payloads all employed evasive techniques.
Those percentages are nothing to simply pass over, thinking your endpoint or email AV solution is going to stop them; these techniques are specifically designed based on the weaknesses of antivirus solutions. That means the bad guys know what the good guys are doing to spot malware, and are coming up with new ways to ensure infection without being detected.
Evading Detection, By the Numbers
If you’re not familiar with evasive malware techniques, they can be simplified down to three high-level methodologies we saw in 2017:
- Memory Injection – sometimes called “fileless” malware, this attack technique looks to place malicious code directly into memory, leading to malicious logic running out of otherwise legitimate applications to obfuscate the presence of malware. From our end of year research report, we saw this technique used 48% of the time.
- Malicious Document Files – the ability to execute commands through PDFs, Word docs, and more. Attackers leverage these file types because in many cases, organizations allow them to be opened and have internal code run without issue, thereby getting past detection solutions. We saw this technique used 28% of the time.
- Environment Testing – the bad guys know how the good guys are performing behavior-based tests (e.g. a “sandbox” where a suspicious file is opened a PDF attachment to see if it attempts to perform malicious actions). So, malware often queries its environment can identify a threat (such as detecting the sandbox or the presence of security tools), and remain dormant to avoid detection. We saw this technique 24% of the time.
Responding to the Growth
Antivirus is somewhere around 3 decades old and yet, it remains at the center of your endpoint protection strategy. And, despite the improvements to it over the years in terms of detection methods, speed of updates, inclusion of AI and even the cloud-sourcing of updates to learn from endpoints literally anywhere in the world, antivirus is still a reactive detection-focused means of protection.
In 2017 we saw the rise of evasive malware techniques to become a mainstream part of malware attacks, making detection anywhere from difficult to impossible. And with a vast majority of malware now employing evasive techniques, it’s time to realize your security strategy is, no longer futureproof.
Anti-virus has an important role to play in safeguarding the endpoint. However, it’s critical to augment its security with a solution that is specifically designed to keep evasive malware from getting around baseline AV protection. Minerva Labs accomplishes this by controlling how the malware perceives its environment to render it ineffective if a program exhibits evasive characteristics. For instance, our technology lies to malware that there is no way to unpack its malicious code, denying access to PowerShell to avoid macro attacks or simulating the presence of security tools on every endpoint to persuade malware into terminating itself out of self-preservation. By adding this layer to your existing endpoint security strategy, you close the gap left present by traditional anti-virus solutions.
For more information on the use of evasive malware in 2017 and to learn about what to expect in 2018, read our 2017 Malware End of the Year Report.