Unmasking Malware Evasion Techniques: A Deep Dive (2024)

Table of Contents
Environment awareness Timing-based method User interaction Domain, IP identification and internet connection Stegosploit Code obfuscation, encryption or compression Final thoughts Sources:

Malware analysis

Cybercriminals are constantly developing new ways to make themselves invisible to threat detection. Using some evasion techniques, criminals can hide malicious indicators during the malware analysis and software monitoring, both on the network layer and host-based detection.

In detail, evasion is one of the crucial steps in the malware landscape. It can be done in various ways with various techniques. Although we will not cover all the techniques used, this article compiles some of the evasion strategies used by criminals in the wild.

Environment awareness

When malware runs, it’s often essential to identify whether it is running inside a sandbox environment or virtual machine. We use this technique to extract and check the system’s configurations and terminate the malware execution if all the conditions are not in place.

In short, the malware can be programmed to detect sandbox usernames such as “virtualbox,” “vmware,” “virtual,” hypervisor calls, sandbox processes, installed devices, breakpoint registers and dynamic link libraries.

Timing-based method

The time-based approach is a very effective technique for bypassing sandbox analysis because the malware is analyzed only during a limited period. This method includes several evasion methods, such as:

  • Extended sleep: The malware calls for extended sleep, such as 10 minutes. In this way, it stops its execution and escapes the sandbox analysis before the actual infection.
  • Logic bomb: The malware can schedule its execution, for instance, on a particular date and time.
  • Stalling code: The malware takes advantage of CPU cycles via malicious payloads to delay the process and terminates before the final infection.

User interaction

User interaction can occur in different ways, such as moving the mouse or clicking on something. The malware can detect if this type of movement happens in the target environment, including the sandbox.

Malware can be developed to execute after some scrolling movements or when the user opens a folder. On the other side, understanding the mouse and keyboard inputs, analyzing the speed of movements, its coordinates, and whether something is being opened and executed during the click is a popular method for human-interaction detection.

See Also
Firewall 101: What firewalls can and cannot do

With this approach, criminals can efficiently control and assemble all the infection stages by just putting away false positives.

Domain, IP identification and internet connection

Malware developers often use this method to easily identify the target companies and their IP ranges and check if the target machine can connect to the internet.

Maintaining an internet connection when a threat is running is essential because it allows criminals to download additional payloads and the malware configuration from the C2 server. This is a crucial behavior because the malware will not load its configuration into the memory if it fails the previous steps, and the target machine does not guarantee a valid internet connection in advance. From the point of view of a malware analyst, this can be a pain sometimes because it introduces more complexity and is time-consuming to analyze the threat.

Stegosploit

This technique is a way of hiding malicious code within images. In short, a new drive-by browser exploit can be created and delivered via a simple image file. These kinds of payloads are efficient because they are stealthy and undetectable.

You can find more details about this method here.

Code obfuscation, encryption or compression

This is one of the most popular techniques in the malware landscape. Parts of the malware in the initial binary can be obfuscated or encrypted to bypass the static analysis and make it hard to understand.

The malware developers simply encrypt the malware strings and decrypt them in runtime. With this approach, the malware analyst must understand and identify the block of code responsible for decrypting the content and the used key.

Some popular trojan bankers such as Lampion, Javali, URSA, Maxtrilha and Grandoreiro use this technique to hide their content, including the hardcoded strings, the configuration such as the remote C2 server address, bot commands, what kind of information will be exfiltrated and gathered during the execution, the WinAPI loaded in runtime, and so on.

Final thoughts

Although this article presents only some of the most used techniques in the wild by malware developers, it’s important to track and keep in mind that more sophisticated and complex techniques are emerging every day. This can be thought of as the “Tom and Jerry game,” and monitoring and analyzing the threats is the best way to identify the criminals’ strategies.

In a repository provided by CheckPoint, it’s possible to analyze, understand and implement the described techniques in C language. The repositor can be accessed here.

Sources:

Unmasking Malware Evasion Techniques: A Deep Dive (2024)
Top Articles
11 Types of Sales Commission Plans & How They Impact Rep Performance - ExecVision
What is a Commission Split? 2021 Real Estate Guide - Scranton PA Real Estate | Dunmore PA Real Estate | Old Forge PA Real Estate
The Blackening Showtimes Near Century Aurora And Xd
Patreon, reimagined — a better future for creators and fans
Lexi Vonn
St Als Elm Clinic
Do you need a masters to work in private equity?
Umn Pay Calendar
Stolen Touches Neva Altaj Read Online Free
Myunlb
De Leerling Watch Online
Walthampatch
Transfer Credits Uncc
Mini Handy 2024: Die besten Mini Smartphones | Purdroid.de
Diesel Mechanic Jobs Near Me Hiring
[Birthday Column] Celebrating Sarada's Birthday on 3/31! Looking Back on the Successor to the Uchiha Legacy Who Dreams of Becoming Hokage! | NARUTO OFFICIAL SITE (NARUTO & BORUTO)
Dumb Money, la recensione: Paul Dano e quel film biografico sul caso GameStop
Praew Phat
Exterior insulation details for a laminated timber gothic arch cabin - GreenBuildingAdvisor
ELT Concourse Delta: preparing for Module Two
2024 INFINITI Q50 Specs, Trims, Dimensions & Prices
Jeff Now Phone Number
Apartments / Housing For Rent near Lake Placid, FL - craigslist
Fleet Farm Brainerd Mn Hours
Getmnapp
Skymovieshd.ib
Pronóstico del tiempo de 10 días para San Josecito, Provincia de San José, Costa Rica - The Weather Channel | weather.com
Best Town Hall 11
Black Lion Backpack And Glider Voucher
Santa Barbara Craigs List
Askhistorians Book List
FREE Houses! All You Have to Do Is Move Them. - CIRCA Old Houses
Publix Daily Soup Menu
Roadtoutopiasweepstakes.con
Texas Baseball Officially Releases 2023 Schedule
Devin Mansen Obituary
Clark County Ky Busted Newspaper
Delaware judge sets Twitter, Elon Musk trial for October
Atlanta Musicians Craigslist
Htb Forums
Bartow Qpublic
sacramento for sale by owner "boats" - craigslist
Autum Catholic Store
814-747-6702
3 bis 4 Saison-Schlafsack - hier online kaufen bei Outwell
Celsius Claims Agent
Germany’s intensely private and immensely wealthy Reimann family
Joe Bartosik Ms
Myhrkohls.con
Metra Union Pacific West Schedule
Land of Samurai: One Piece’s Wano Kuni Arc Explained
Intuitive Astrology with Molly McCord
Latest Posts
What is the Employee Life Cycle and Why Does it Matter?
Content Writing Examples, Tips, and Resources
Article information

Author: Eusebia Nader

Last Updated:

Views: 6747

Rating: 5 / 5 (60 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Eusebia Nader

Birthday: 1994-11-11

Address: Apt. 721 977 Ebert Meadows, Jereville, GA 73618-6603

Phone: +2316203969400

Job: International Farming Consultant

Hobby: Reading, Photography, Shooting, Singing, Magic, Kayaking, Mushroom hunting

Introduction: My name is Eusebia Nader, I am a encouraging, brainy, lively, nice, famous, healthy, clever person who loves writing and wants to share my knowledge and understanding with you.