Malware evasion methods are frequently employed to evade detection, analysis, and comprehension. Due to the fact that sandboxes are now the quickest and simplest approach to getting an overview of the threat, anti-sandbox detection is one of the most common kinds of evasion.
These kinds of solutions are often used by businesses to explode bad files and URLs discovered, collect further indicators of compromise, expand their defenses, and stop related malicious activities. Sandbox systems are a crucial component of the ecosystem in which we now view security as a global process, therefore we must be careful to consider how the malware operates and how to stop it.
In the past, sandboxes have made it possible for researchers to quickly and correctly visualize the behavior of malware. Malware writers began creating malicious code that probes deeper into the system to find the sandboxing environment as technology advanced over the past few years. In this article, we will look at different techniques by malware authors for evasion.
Malware Evasion Techniques:
Knowing how crucial hashes and strings are for detecting and analyzing threats, malware programmers come up with ways to change these properties to cause confusion and evade detection. Obfuscation is the process of changing a malicious file’s hash (also known as its signature) or making its strings unintelligible using packers, encrypters, and encoders.
Initially, it was discovered that some malware strains employed timing-based evasion methods, also known as latent execution. These methods mostly consisted of postponing the execution of malicious code utilizing well-known Windows APIs like NtDelayExecution, CreateWaitTableTImer, SetTimer, and others. Up until sandboxes started identifying and mitigating them, these tactics are still widely used.
Exploiting that automated analysis systems are never manually interacted with by humans is another notorious way malware developers have utilized to get around the sandboxing environment. Traditional sandboxes aren’t built to simulate user behavior, and malware was programmed to be able to spot differences between automated and actual systems. Initially, it was discovered that some malware families were keeping an eye out for Windows events and stopping their execution until they were produced.
Malware also employs the method of “fingerprinting” the target environment to take advantage of the sandbox’s incorrect setting. Before sandboxes started to harden their design, tactics like the Red Pill techniques were sufficient to discover the virtual environment in the beginning. Later, malware developers adopted additional methods including comparing the hostname to popular sandbox names or examining the registry to confirm the installed programs; a relatively small number of apps could point to a phony computer. Other methods have also been employed, including scanning the filename to see whether a hash or keyword (such as malware) is present, identifying current processes to look for potential monitoring tools, and inspecting the network address to look for blacklisted entities, such as AV companies.
Adversaries may use a number of techniques to find and avoid debuggers. Defenders frequently employ debugging tools to track and/or examine the execution of possible malware payloads. According to the findings of the checks for the presence of artifacts suggestive of a debugged environment, debugger evasion may involve altering behavior. Similar to Virtualization/Sandbox Evasion, the adversary may modify their malware to disconnect from the victim or hide the implant’s primary functionality if they notice a debugger. In addition, they might look for debugger artifacts before releasing supplementary or extra payloads.
Adversaries may take use BITS jobs to continuously run or remove harmful payloads. The Component Object Model (COM) exposes the Windows Background Intelligent Transfer Service (BITS), a low-bandwidth, asynchronous file transfer mechanism (COM). Updates, messengers, and other programs that prefer to run in the background (using free bandwidth) without interfering with other networked programs frequently use BITS. The implementation of file transfer tasks uses BITS jobs, which have a queue of one or more file operations.
Pre-OS Boot mechanisms may be abused by adversaries as a means of establishing persistence in a system. Before the operating system is loaded when a computer boots up, firmware and several startup services are loaded. Before the operating system assumes control, these applications manage the execution flow. In order to remain on systems at a layer beneath the operating system, adversaries may replace data in boot drivers or firmware, such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI). As host software-based defenses cannot identify malware at this level, it can be very challenging to detect.
Mitigations for Malware Evasion Techniques:
- To avoid system integrity being compromised, use Trusted Platform Module technology and a secure or trusted boot process. To find out if the current BIOS or EFI is susceptible to alteration, check its integrity
- Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.
- Monitor for API calls (such as IsDebuggerPresent()) that may employ various means to detect and avoid debugged environments. Detecting actions related to debugger identification may be difficult depending on the adversary’s implementation and monitoring required.
- On Windows 10/11, enable Attack Surface Reduction (ASR) rules to prevent the execution of potentially obfuscated scripts.
At HAWKEYE we use Machine learning based anomaly detection and advanced novelty detection techniques to detect and block evasive malware. we have developed an ML model which detects the user behaviour pattern and any anomalous behaviour compared to the normal behaviour will give an alert. For training our model we have used the organization’s metadata which shows the normal behaviour, and the ML model learns that pattern. This kind of learning is called unsupervised since it is very hard to categorize it as legitimate or illegitimate to do supervised learning. In unsupervised learning, it creates a mathematical representation among the data features themselves. After continuous model training, we are able to implement a successful model with very good accuracy