Attackers have figured out how to bypass traditional antivirus software with fileless attacks designer to hide within sanctioned applications and even within the OS itself. So, even if you’re vigilant about installing patches and pushing out antivirus updates, your organization is likely still at risk. Keep reading to understand:
- How attackers have adapted their tactics to evade traditional antivirus
- How these increasingly common attacks work
- How to quickly evolve your threat detection strategy
5 attacks your traditional antivirus won’t catch
1. Cryptomining malware
Cryptomining tools convert computing power into revenue. The cryptocurrency market is growing rapidly, and the Central Processing Unit (CPU) required to mine for cryptocurrencies happens to be very costly.1 So, attackers create malware and other attacks to quietly siphon computing resources from victims for cryptomining. Methods include:
- Exploiting exposed AWS resources or AWS account credentials to steal cloud computing resources, often referred to as “cryptojacking”
- Browser-based attacks that work while a visitor is browsing a legitimate, yet compromised website
- Cryptomining malware, often delivered through phishing campaigns, that consumes CPU on your endpoints
2. Reverse PowerShell attacks
Even in spy novels, everyone knows that the best way to avoid detection is to act like you belong. Attackers follow this approach, as they increasingly use PowerShell and other sanctioned services to evade traditional antivirus software. By gaining access to admin credentials and executing authorized administration actions, cyber attackers can reduce their reliance on malware and exploit kits and more easily evade detection, making for a stealthier data theft operation.
3. Remote desktop protocol (RDP) session jacking
The remote desktop protocol (RDP) enables you to remotely connect to a Windows system, usually requiring you to provide the user password before you can gain session access. However, a known exploit to bypass this is to run tscon.exe (the RDP client process) as SYSTEM user, which does not prompt you for a password. And, no antivirus alarms go off.
4. Advanced persistent threats (APTs) / rootkits
Advanced persistent threats (APTs) involve a series of steps, each of which can easily evade traditional methods of detection (we address each of these steps in detail in the next section). These blended threats often start with a phishing email to capture credentials and then move on to installing malware such as rootkits, which embed themselves deep into the endpoint’s OS. Once you’ve got root access at a kernel level, all bets are off and the system is fully owned.
Attackers know how to innovate. Recent ransomware innovations include offering ransomware-as-a-service, as well as targeting widely-used corporate cloud apps. One example that easily evades antivirus is the ShurL0ckr ransomware, which targets cloud-based enterprise file sharing platforms. Ransomware-asa-service enables attackers to pay its author a percentage of the ransom once the payload that encrypts the files on the disk is generated and distributed.
How these attacks evade detection by antivirus
While these attacks may have their differences, they share some specific characteristics that help them avoid detection by traditional antivirus tools.
These 4 critical steps show how it’s done:
Signature-based antivirus tools try to catch and quarantine malicious files as they are downloaded or executed on endpoints. The problem is that modern attacks operate without downloading or executing malicious files on the hard drive. Instead, they utilize social engineering (phishing), exploit OS vulnerabilities, and package malicious code within normal-looking files to evade detection in the delivery process.
The best offense is to use the native components of a system against itself. By using what’s already on an endpoint (e.g. tscon.exe, PowerShell, etc.), cyber attackers execute attacks much faster while also evading antivirus detection.
3. Lateral movement
Endpoints provide attackers a necessary foothold into a victim’s network. Once an endpoint is compromised–and any endpoint will do–the next step is to move laterally through the network to find desired assets and targets (domain admin credentials, file servers, etc.). Once an attacker has domain admin credentials, they can move literally anywhere within that domain, stealing and exfiltrating data without antivirus software triggering a single alert.
4. Cover tracks
After doing their dirty work, a smart attacker will cover their tracks. With domain admin credentials, attackers easily delete log files on each endpoint they used within that domain to avoid leaving critical forensic evidence behind for investigators. With one PowerShell script, all digital breadcrumbs of the theft disappear–and not a single antivirus tool is built to notice this.