Many managed service providers (MSPs) have a solid security offering to protect their customers from ransomware, external attacks, viruses, and malware. But there’s a growing trend in the way malware works, where it utilizes specific actions to avoid being detected. It’s dangerous stuff, as these evasive methods are being adopted by ransomware, APTs, and external attacks.
So, what is Evasive Malware and how is it different?
Let’s start with a look at what a normal piece of malware does. In its most simplistic sense, malware starts with a dropper that executes, connects to a Command & Control server, downloads the malware payload, and lastly, launches that payload. The “problem” with this method (that is, a problem for the malware authors) is that MSPs’ antivirus (AV) engines have advanced from being signature-based to using detection engines based on heuristics and behavior—and now even include machine learning and AI. This means that most malware following the “conventional” pattern is going to be caught.
Evasive Malware is different. Unlike regular malware that simply runs and hopes for the best, Evasive Malware is more like a ninja—it hides in the shadows, constantly looking around to ensure it’s not seen until the moment of attack (and, even then, the attack is usually so silent, no one notices it).
Tactically speaking, Evasive Malware does a number things to avoid being caught; these include:
Before it does anything, Evasive Malware checks to see if it’s running in a virtual machine—this could indicate that it is in sandbox, where it’s behavior is being observed. It then goes on to look at whether AV or security tools are running (which are generally bad for malware), and for the presence of analysis tools (like Wireshark® or Process Explorer). Should the Evasive Malware detect any of these prior to running, it simply doesn’t run.
The thinking is to not have the Evasive Malware run in what it considers a hostile environment, and instead, to wait for another time when the environment is more “malware-friendly.” For example, if your customer has an Email Gateway in place that scans email, Evasive Malware won’t run in the gateway’s sandbox, in the hope that once it gets to the user’s Inbox, it will be relaunched and be able to run successfully.
Endpoint protection and next-gen AV solutions tend to focus on processes running. A new malware instance is a new process and is, therefore, subject to scrutiny. Instead, Evasive Malware uses OS-supported techniques to hollow out existing running processes and inject its own code into the memory location. The end result is your security solutions think it’s NOTEPAD.EXE running, but it’s actually malware.
The old-school method of infection was to attach a .exe file to an email. The new methodologies leverage document files (e.g., Word, Excel®, PDFs, etc.) that have some ability to execute. For example, I’ve seen an instance of malware where the dropper is a PDF that downloads a Word doc from a compromised website, that then in turn uses macro code to pull down the malware payload to infect the machine.
It sounds like a lot of work, but when you’re trying to avoid being detected, these additional steps are necessary.
Cybercriminal organizations are keenly aware of the value of your data and now function like software vendors—just like the good guys—and test their latest variants against current instances of security solutions in an attempt to stay one step ahead.
Your initial steps to combat Evasive Malware are to ensure AV and/or endpoint protection is on all machines and is ALWAYS up-to-date. Taking things a step further, solutions do exist specifically to address Evasive Malware; these work by telling the malware it’s always in a “hostile environment” so that it never runs. In addition, given that ransomware variants are now adopting some of these techniques, having backups becomes all that much more important as a precaution.
Nick Cavalancia has over 20 years of enterprise IT experience and is an accomplished executive, consultant, trainer, speaker, and columnist. He has authored, co-authored and contributed to over a dozen books on Windows®, Active Directory®, Exchange™ and other Microsoft technologies. Nick has also held executive positions at ScriptLogic®, SpectorSoft® and Netwrix® and now focuses on the evangelism of technology solutions.
Follow Nick on Twitter® at @nickcavalancia
Click here to find out how SolarWinds® Risk Intelligence can help you protect your business.
© 2017 SolarWinds MSP UK Ltd. All rights reserved.
Get the latest MSP tips, tricks, and ideas sent to your inbox each week.