Malware developers are fast learners. They adapt to new security measures in record time and find new ways to evade detection or at least stay hidden long enough to complete their malicious goals. In this blog we review some of the cutting-edge techniques attackers use to bypass defenses and the techniques we use to protect users from these constantly evolving threats.

The return of the Dridex banker malware

The infamous Dridex banker resurfaced recently, targeting American banks. The malware spreads through phishing emails that contain malicious files, which can be executables or documents with embedded macro commands. Besides deceiving users, Dridex uses several advanced evasion tactics. It checks whether an antivirus protection is installed on the infected machine and if so, delays its execution. Additionally, when the malware initiates, it attempts to bypass the Windows User Access Control (UAC) to establish persistency on the machine and activate the rest of its payload.

To combat the malware’s efforts, Check Point’s SandBlast Zero-Day Protection solution detects and blocks such malware at the pre-infection stage by identifying the evasive maneuvers in its code. Our security researchers have studied countless evasion techniques used by malware in the wild and have built a security engine capable of identifying and stopping them.

One feature of SandBlast prevents any attempt to bypass Windows’ User Account Control (UAC), an action no legitimate process would pursue. SandBlast searches for programs that try to bypass UAC by monitoring portable executables, such as dll and exe, which are dynamically loaded to an unknown module running with high integrity level. As files are executed inside of SandBlast’s advanced sandbox, where suspect modules are flagged, contained, and blocked from entering the network. It’s important to note that this process does not trigger false positive detections, as legitimate processes do not try to operate outside their privileges.

Crafted documents – Bypassing the VMs

Malware strive to remain in the shadows by avoiding detection and analysis. One method is to try to detect whether they are being run in a Virtual Machine (VM), which is used by sandbox security products and security researchers. If the malware notices it is executed on a VM, it terminates its operation. In the past, malware tried to monitor the existence of processes associated with VMs, but this was soon overcome by defenders.

The newest strains of malware go even further to evade VMs by implementing pre-exploitation triggers. These specially crafted documents contain exploits that are activated only when certain conditions are met. Attackers have a small variety of potential triggers they can use. In Microsoft Office-based documents, the only possible trigger is to monitor whether or not the scrolling function is used inside the document.  In PDFs, attackers can embed a Java Script that causes a message box to pop up, triggering the exploit if it is clicked.

To overcome such sophisticated evasion techniques, SandBlast implements a novel automatic interaction, triggering the exploit while running on a VM. Since the exploit initiates its operation on SandBlast, it is easily detected, blocked, and analyzed for future reference. CPU-level detection is the only solution capable of preventing such attacks, as unlike traditional sandboxes, it does not wait for any code execution.

What you see is not what you get

Another tactic used by malware as part of social engineering scams is to forge an icon that resembles that of a legitimate program, such as a PDF or Word doc. Most users view their files without the extension that specifies the document type, instead relying entirely on the sight of the familiar icon. To rope in the users that do view the extension, malware often adds a fake extension to the file’s name and adds a large space before the real extension’s name. Moreover, even if users do go to the extent of viewing the real extension name, they see an odd name. For example, the Kofer ransomware uses a fake PDF icon to trick users into thinking that it is a genuine PDF file, duping them into clicking the file and executing the ransomware. Malware can even propagate through this tactic, as users unknowingly forward such files.

PDF          PDF

Only one of the above icons is real, while the other is fake. Can you spot the genuine article? Hackers often create subtle changes to the executable icon to avoid being flagged by security products. Users stand no chance, as a simple visual inspection does not reveal any differences, and will most likely open the executable.

SandBlast identifies such schemes using a unique icon similarity technology, which compares any icon to the authentic version, and determines if it is legitimate or not. Unlike a human user, SandBlast cannot be fooled by a graphic illusion. It easily notices that the icon on the right is only visually similar to the common PDF document icon, with subtle differences, such as missing pixels, which are not being picked up by a simple visual comparison. SandBlast technology protects the most vulnerable aspect of any cybersecurity system – the user.

Staying one step ahead

Malware constantly develop new innovations meant to bypass all known security measures. They quickly learn and adapt to advances in defense mechanisms. As protectors, it is our commitment to safeguard users from the most advanced known and unknown malware. Check Point technologies, including our SandBlast Zero-Day Protection solution, make it possible for us to achieve our goal of protecting our customers with the highest catch rate in the industry.