Minerva Labs Announces Evasive Malware 2017 Year in Review
December 2017 by Minerva Labs
Minerva Labs released the results of their 2017 Evasive Malware Year in Review report, which takes an in-depth look at the approaches used by common malware families to bypass anti-malware tools, including antivirus and analysis sandboxes. The report shares valuable details about these malware samples and their methods, so enterprise defenders can best protect endpoints from such threats.
2017 demonstrated significant advancements in defensive measures, such as artificial intelligence being incorporated into traditional and “next-gen” endpoint security solutions, yet it also confirmed that adversaries continue to find ways around such defensive measures. Minerva’s research into the malware families that were prevalent in 2017, including popular exploit kits and ransomware, confirmed that such malicious programs employ at least one evasion technique to penetrate defenses.
According to Lenny Zeltser, Vice President of Products at Minerva Labs, the use of evasion tactics in malicious software will continue to grow in the coming year, in part in response to the continued advancements in endpoint security products. “Evasion techniques will be used in both classic forms of malware, such as ransomware, as well as in malicious software that offers adversaries new revenue streams, such as malicious cryptominers,” said Zeltser. “On the defender side, incident response teams will look for ways to more actively combat malicious presence in the enterprise in 2018, going beyond the practice of merely identifying which systems might have been compromised.”
The original research by Minerva Labs found a number of significant trends in 2017 that should inform defensive practices in 2018. Some of the key results include:
Exploit kits, which target vulnerabilities in client-side software of website visitors remained an effective attack vector in 2017. 99% of the campaigns tested were evasive either in the exploit kit or the payload phase. Exploit kits were also among the most common ways to spread ransomware in 2017 with over 60% of them applying evasive techniques.
The Shadow Brokers leak of NSA exploits have been increasingly used by commodity malware for propagation
As part of their ransomware research activities, Minerva Labs collected representative samples from 60 different ransomware families, including Locky, Spora, TeslaCrypt, Cryptomix, JigSaw and more. Of the samples tested, at least one evasive technique was used; roughly half of the samples used memory injection, 28% used weaponized documents to deliver malware and 24% used environments tests to check whether they are in a hostile environment before executing the attack
Beyond benefiting from the “established” revenue sources, such as ransomware, adversaries continued to look for additional profitable endeavors, which fueled a steady rise in malicious cryptomining closer to the end of the year.
“In 2017, adversaries continued to monetize or otherwise benefit from the classic use of malicious software, which included holding systems at ransom, conducting industrial espionage, and stealing sensitive personal data. Closer to the end of the year, we’ve seen an increase in the use of malicious software that used victims’ systems to mine cryptocurrency on behalf of the intruder.” said Eddy Bobritsky, Co-Founder and CEO of Minerva Labs. “Minerva will continue to provide technology that ‘attacks’ attempts to evade security tools on the endpoint, strengthening enterprise security posture to cover the gap left by baseline anti-malware tools.”
To learn more about this research, please visit the Minerva Labs website and view the full report here: https://l.minerva-labs.com/2017-min.... A webcast will be held on Tuesday, December 19, 2017, at 1 p.m. (ET) to review the findings. A live demonstration of some of these attacks will also be presented. Register here for the webcast: A Year in Review, 2017 Through the Eyes of Minerva Labs.