Save 37% off PRO during our Black Friday Sale! »

Understand Malware Evasion Techniques - Black Hat Asia

9103dacbfc728d2a583981e7cf854cc4?s=47 Thomas Roccia
March 28, 2019

Understand Malware Evasion Techniques - Black Hat Asia

Technology advances have significantly changed our lives during the past decade. We rely on computers of various sorts for even the simplest of daily tasks and become stressed when they are not available or do not perform as we expect. The data that we create, use, and exchange has become the gold of the 21st century. Because our information is so valuable and often very personal, attempts to steal it have proliferated.

Malware was first developed as a challenge, but soon attackers recognized the value of stolen data and the cybercrime industry was born. Security companies soon formed to defend people and systems using antimalware technologies. In response, malware developers began experimenting with ways to evade security products. The first evasion techniques were simple because the antimalware products were simple. For example, changing a single bit in a malicious file was sometimes good enough to bypass the signature detection of a security product. Eventually, more complex mechanisms such as polymorphism or obfuscation arrived. Today’s malware is very aggressive and powerful. Malware is no longer developed just by isolated groups or teenagers who want to prove something. It is now developed by governments, criminal groups, and hacktivists, to spy on, steal, or destroy data.

To perform malicious actions, attackers create malware. However, they cannot achieve their goals unless their attempts remain undetected. There is a cat and-mouse game between security vendors and attackers, which includes attackers monitoring the operations of security technologies and practices.

The term evasion technique groups all the methods used by malware to avoid detection, analysis, and understanding.


Thomas Roccia

March 28, 2019


  1. Unprotect Project Unprotect Malware for the Mass Thomas ROCCIA |

    Security Researcher, Advanced Threat Research @fr0gger_
  2. Summary • Evasion Techniques Definition • Current State of Evasive

    Malware • Malware Evasion Technique Classification • Introducing Unprotect Project • Future Work / Call for improvement
  3. • Evasion techniques are on the rise • More than

    90% of malware are using at least one evasion tricks • Even legit software uses evasion to protect intellectual property • Detection rate can be improved by knowing these techniques About Evasion Tactics
  4. Evasion Techniques can be define by: (1)All the digital techniques

    used by a (mal||soft)ware to avoid, static, dynamic, automatic, human analysis in order to understand its behavior. (2)All the digtal techniques used by a malware to avoid (1) and to evade security solutions, security configuration as well human detection to perform malicious action the longer on the infected machines. (3)Evasion techniques are classified as follow: Anti-Sandboxing, Antivirus Evasion, Anti-Debugging, Anti-Monitoring, Packers, Anti-Disassembly, Process Injection, Network Evasion, Obfuscation (encoding, encryption…), Morphism, Anti-Forensic, Anti-MachineLearning.
  5. Evasion Techniques appears in most samples

  6. Cybercriminals make money by selling evasion tools

  7. Usecases

  8. Evasion Techniques Classification

  9. • Unprotect Project is an open platform dedicated to Malware

    Evasion Tactics and Techniques. • Previous version: • Wiki • CheatSheet • Tool to fake sandbox • New version: • Online platform to detect common Evasion Techniques during first assessment. • Evasion Techniques classification to allow malware researchers to better understand the different techniques. Introducing Unprotect Project
  10. • Unprotect Project: Previous Version

  11. • A tool to fake sandbox: • Fake registry keys

    of Vmware/VirtualBox/Qemu • Fake processes (VmwareTray.exe, VboxService.exe, wireshark.exe...) • Fake directories (Wine, Vmware Tools, VirtualBox Tools...) • Fake files (vmouse.sys, vboxhook.dll, VboxGuest.sys...) • Fake MAC address related to Vmware or VirtualBox Unprotect Project: Previous Version
  12. • Unprotect Project is composed of two main parts: Unprotect

    Project: New Release The online platform including the classification and the analysis engine A python tool for first malware assessment
  13. Description of the functionalities Unprotect PE Summary VT Report Exploit

    Mitigation Packer Detection Anti- Sandbox Anti- Debugging AV Evasion Anti- Disassembly Process Injection Obfuscation Additional Info
  14. • Provide global information about the analyzed PE. PE Summary

  15. • Provide global information about the VT report as well

    a link to it. • Provide information about Exploit Mitigation Flags VirusTotal Report / Exploit Mitigation
  16. • Provide information about potential packer and entropy Packer Detection

  17. • Provide information about potential packer and entropy Anti-Sandboxing •

    Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing • Provide information about potential packer and entropy Anti-Sandboxing
  18. • Provide information about anti-debugging tricks and API. Anti-Debugging

  19. • Detect anti-AV tricks used, as well embedded certificate. Anti-AV

  20. • Provide information about potential anti-disassembly tricks. Anti-Disassembly

  21. • Provide information about process injection tricks/API. Process Injection

  22. • Provide information about potential data obfuscation, and algoritms used.

  23. • Provide network information IP, URL. Network information

  24. • Provide additional information (resources, wallet address, user yara-rules). Additional

  25. • The online platform provide information about evasion techniques. Online

  26. • The standalone tool is used to assess malware directly

    from the CLI. Standalone Tool
  27. • Recode in Python 3 (in progress) • Deploy extra

    modules (Machine Learning in testing) • Improve server resources • Development of the MITRE ATT&CK Roadmap
  28. Thank You Thomas ROCCIA | Security Researcher, Advanced Threat Research