To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. There is a cat and-mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices. From process injection to sandbox evasion, attackers continue to innovate and seek new evasion techniques.
In this talk, we will deepen the most common evasion techniques through the most obscure and understand the latest trends used by attackers. This presentation will present the evolution of these techniques and show how to overcome them.
A Look at Most Common Evasion Techniques in Cyberattacks
The Endless Escalation of Malware Evasion
Thomas Roccia | Security Researcher | @fr0gger_
McAfee Advanced Threat Research
About the Presenter
Security Researcher - Advanced Threat Research
▪ What are Evasion Techniques?
▪ Business around Malware Protection
▪ Sandbox Evasion
▪ Process Injection
▪ Strings Obfuscation
▪ Feedback from the Battlefield
▪ Malware Evasion Techniques Classification
▪ Take Away
▪ Evasion techniques are on the rise.
▪ More than 90% of malware are using at least one evasion tricks.
▪ Even legit software uses evasion to protect intellectual property.
▪ Detection rate can be improved by knowing these techniques.
Evasion Techniques can be defined by:
(1)All the digital techniques used by a (mal||soft)ware to avoid, static,
dynamic, automatic, human analysis in order to understand its behavior.
(2)All the digital techniques used by a malware to avoid (1) and to evade
security solutions, security configuration as well human detection to
perform malicious action the longer on the infected machines.
(3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus
Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly,
Process Injection, Network Evasion, Obfuscation (encoding, encryption…),
Cybercriminals make money by selling evasion tools
Gandcrab “Crypt Competition”.
Partnership with NTCrypt Service.
▪ Malware abuse of process manipulation to stay undetected. Windows API allows program to manipulate
memory with some trick. Many techniques are discovered by researchers and then implemented into new
The above example shows a technique that modify internally the normal process execution. In some other cases, the malware can replace the full
memory content with its own malicious payload.
Several techniques exists, the final purpose is to appear legit.
The Most Known – Process Hollowing
▪ Process hollowing is one of the most used process manipulation techniques by malware.
The malware will be disguise as a legitimate process.
▪ Process hollowing occurs when a process is created in a suspended state then its memory
is unmapped and replaced with malicious code.
▪ For example, a sample can create a notepad.exe process and inject its payload in the
• Malware create a
• Malware destroys the
• A memory region is
allocated and written
• Set the EAX register to the
entry point of injected code
• Resume thread of
Process Hollowing in the Memory
▪ This technique leverages the Transactional NTFS functionality in Windows. This functionality helps maintain
data integrity during an unexpected error.
▪ Process Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting
in a process injection. The malicious file will be created inside a transaction then committed to the
legitimate file, then executed.
▪ Process Reimaging have been discovered by McAfee’s Researcher Eoin Caroll.
▪ It allows an adversary to persist a malicious process by hiding the physical location of an
▪ Windows OS has inconsistencies in how it determines process image FILE_OBJECT
• The file is opened to be
able to be mapped into
• The file is mapped into
• The file handle is closed,
leaving a kernel object
which is used for
• The file is loaded
• The file is closed
Multiple Process Manipulation used by Attackers
Reflective DLL injection
Suspend inject and resume
Injection via registry modification
Extra window memory injection
Injection using shims
▪ Threat actors are implementing Process Manipulation techniques
▪ Malware authors know that analysts are taking a look to the strings.
▪ To avoid quick analysis, they use obfuscation to hide data in a binary.
▪ Common Strings Obfuscation:
▪ Pre-computed checksum value: Compare with dynamically calculated value to avoid
strings in original binary.
▪ Stack Strings: Strings constructed on the stack
▪ Encrypted Strings: Use encryption algorithm.
Pre-computed Checksum Values
▪ Find source of potential string values then computes the
checksum for comparison.
▪ Commonly used to build an import table
▪ Use the Process Environment Block (PEB) to find DLL
▪ Walk export names, calculating and comparing values
for each export.
▪ Data for a string is constructed on the stack when needed
▪ Data is usually positioned using MOV instructions
▪ Once strings is on the stack, the top of the stack is a pointer to the string.
Funny Strings in Malware
▪ Sometimes malware developers are letting some messages for analysts J
▪ Maze ransomware is one of the most active ransomware since a year ago.
▪ The business model is well organized.
▪ Maze is using several evasion techniques and tricks to avoid detection but also to harden
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ by Alexandre Mundo Alguacil
▪ If debugger is detected Maze will continue in an infinite loop.
▪ Detecting process using custom hash
▪ If one of the blacklisted process is detected the malware will terminate it using the API
TerminateProcess called dynamically.
Evasion Techniques Classification
▪ Malware authors are commonly using evasion techniques.
▪ They watch for new research to implement it.
▪ Knowing the techniques will improve the analysis and the detection.
▪ Using that techniques may allow you to track for specific actors.