Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Endless Escalation of Malware Evasion Techniques - HEK.SI Slovenia

Thomas Roccia
April 08, 2020

The Endless Escalation of Malware Evasion Techniques - HEK.SI Slovenia

To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. Malware evasion techniques are widely used to circumvent detection as well as analysis and understanding. There is a cat and-mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices. From process injection to sandbox evasion, attackers continue to innovate and seek new evasion techniques.

In this talk, we will deepen the most common evasion techniques through the most obscure and understand the latest trends used by attackers. This presentation will present the evolution of these techniques and show how to overcome them.

Thomas Roccia

April 08, 2020


  1. A Look at Most Common Evasion Techniques in Cyberattacks The

    Endless Escalation of Malware Evasion Techniques Thomas Roccia | Security Researcher | @fr0gger_ McAfee Advanced Threat Research
  2. About the Presenter Thomas Roccia Security Researcher - Advanced Threat

    Research https://securingtomorrow.mcafee.com/author/thomas-roccia/ @fr0gger_
  3. Agenda ▪ Introduction ▪ What are Evasion Techniques? ▪ Business

    around Malware Protection ▪ Sandbox Evasion ▪ Process Injection ▪ Strings Obfuscation ▪ Feedback from the Battlefield ▪ Malware Evasion Techniques Classification ▪ Take Away
  4. Introduction ▪ Evasion techniques are on the rise. ▪ More

    than 90% of malware are using at least one evasion tricks. ▪ Even legit software uses evasion to protect intellectual property. ▪ Detection rate can be improved by knowing these techniques.
  5. Evasion Techniques can be defined by: (1)All the digital techniques

    used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2)All the digital techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Anti-Forensic, Anti-MachineLearning.
  6. Cybercriminals make money by selling evasion tools

  7. Underground Partnership Gandcrab “Crypt Competition”. Partnership with NTCrypt Service. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rapidly-evolving-

  8. Sandbox Evasion https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

  9. Process Manipulation ▪ Malware abuse of process manipulation to stay

    undetected. Windows API allows program to manipulate memory with some trick. Many techniques are discovered by researchers and then implemented into new malware The above example shows a technique that modify internally the normal process execution. In some other cases, the malware can replace the full memory content with its own malicious payload. Several techniques exists, the final purpose is to appear legit.
  10. The Most Known – Process Hollowing ▪ Process hollowing is

    one of the most used process manipulation techniques by malware. The malware will be disguise as a legitimate process. ▪ Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. ▪ For example, a sample can create a notepad.exe process and inject its payload in the memory space. CreateProcess() • Malware create a suspended process ZWUnmapViewOfSection() • Malware destroys the process path VirtualAllocEx() WriteProcessMemory() • A memory region is allocated and written SetThreadContext() • Set the EAX register to the entry point of injected code CreateRemoteThread() • Resume thread of suspended process
  11. Process Hollowing in the Memory

  12. Process DoppelGanging ▪ This technique leverages the Transactional NTFS functionality

    in Windows. This functionality helps maintain data integrity during an unexpected error. ▪ Process Doppelgänging abuses this functionality to overwrite a legitimate file with a malicious file, resulting in a process injection. The malicious file will be created inside a transaction then committed to the legitimate file, then executed.
  13. Process Reimaging ▪ Process Reimaging have been discovered by McAfee’s

    Researcher Eoin Caroll. ▪ It allows an adversary to persist a malicious process by hiding the physical location of an exe. ▪ Windows OS has inconsistencies in how it determines process image FILE_OBJECT locations. FileCreate() • The file is opened to be able to be mapped into memory. Section Create • The file is mapped into the memory Cleanup • The file handle is closed, leaving a kernel object which is used for PAGING_IO. ImageLoad • The file is loaded CloseFile • The file is closed https://www.mcafee.com/blogs/other-blogs/mcafee-labs/in-ntdll-i-trust-process-reimaging-and-endpoint-security-solution-bypass/
  14. Multiple Process Manipulation used by Attackers Process Manipulation Process hollowing/RunPE

    Reflective DLL injection Suspend inject and resume Hook injection Injection via registry modification APC injection Atom bombing Extra window memory injection Injection using shims IAT Hooking PE Injection Process Doppelganging PROPagate Ctrl+Inject Fileless Process camouflage Process Reimaging ▪ Threat actors are implementing Process Manipulation techniques https://attack.mitre.org/techniques/T1055/
  15. Strings Obfuscation ▪ Malware authors know that analysts are taking

    a look to the strings. ▪ To avoid quick analysis, they use obfuscation to hide data in a binary. ▪ Common Strings Obfuscation: ▪ Pre-computed checksum value: Compare with dynamically calculated value to avoid strings in original binary. ▪ Stack Strings: Strings constructed on the stack ▪ Encrypted Strings: Use encryption algorithm.
  16. Pre-computed Checksum Values ▪ Find source of potential string values

    then computes the checksum for comparison. ▪ Commonly used to build an import table ▪ Use the Process Environment Block (PEB) to find DLL ▪ Walk export names, calculating and comparing values for each export.
  17. Stack Strings ▪ Data for a string is constructed on

    the stack when needed ▪ Data is usually positioned using MOV instructions ▪ Once strings is on the stack, the top of the stack is a pointer to the string.
  18. Funny Strings in Malware ▪ Sometimes malware developers are letting

    some messages for analysts J
  19. Maze Ransomware ▪ Maze ransomware is one of the most

    active ransomware since a year ago. ▪ The business model is well organized. ▪ Maze is using several evasion techniques and tricks to avoid detection but also to harden analysis. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/ by Alexandre Mundo Alguacil
  20. Maze Ransomware ▪ Anti-debugging ▪ If debugger is detected Maze

    will continue in an infinite loop.
  21. Maze Ransomware ▪ Detecting process using custom hash ▪ If

    one of the blacklisted process is detected the malware will terminate it using the API TerminateProcess called dynamically.
  22. Evasion Techniques Classification Unprotect Project

  23. Take Away ▪ Malware authors are commonly using evasion techniques.

    ▪ They watch for new research to implement it. ▪ Knowing the techniques will improve the analysis and the detection. ▪ Using that techniques may allow you to track for specific actors.
  24. Thank You! @fr0gger_