Cybersecurity is a game of cat and mouse where attackers and defenders are engaged in an ongoing battle of wits. Attackers employ a range of evasion tactics to avoid getting caught, while defenders constantly analyze and deconstruct these methods to better anticipate and thwart attacker maneuvers.
Let’s explore some of the top evasion tactics attackers use to dodge defenders and technical security measures.
Cryptic Services: Crypting-as-a-service providers on the dark web are known to offer cryptic and code obfuscation services, reconfiguring known malware with a different signature set. Because traditional anti-virus filters are signature-based, they are unable to detect the tampered malware since it has a new signature.
Device ID Evasion: Certain security systems verify the device ID from which a user is attempting to access a particular system. If there is a mismatch with the ID, the IP address, or its geolocation, then an alarm will sound. To overcome this obstacle, threat actors use device spoofing software which helps pass a device ID check. Even if they don’t have such software available, one can easily leverage spoofing services from the dark web.
Time-based Evasion: Attackers have the ability to craft malware that delays its execution or remains inactive, responding to the environment it is in. This time-based tactic aims to deceive sandboxes and other malware analysis environments by creating the appearance that the analyzed file is harmless. For instance, if the malware is being deployed on a virtual machine, which could indicate a sandbox environment, it may be designed to pause its activities or enter a dormant state. Another evasion technique is “stalling”, where the malware performs a harmless action disguised as non-malicious activity: in reality, it is delaying the malicious code execution until the sandbox malware checks are complete.
AI-enhanced Anomaly Detection Evasion: Although server-side polymorphism started prior to the age of AI, AI can be harnessed to synthesize new malware mutations at unprecedented scale. Such AI-enhanced polymorphic malware can dynamically mutate and evade detection by advanced security tools like EDR (endpoint detection and response). Moreover, LLMs can also be leveraged to develop methods that help malicious traffic blend in with acceptable traffic.
Prompt Injection: AI can be implemented to analyze malware samples and monitor anomalies. However, what if attackers insert a prompt inside the malware code to evade detection? This scenario was demonstrated using a prompt injection on the VirusTotal AI model.
Abuse of Trust in Cloud Applications: Attackers are increasingly leveraging popular cloud-based services (like Google Drive, Office 365, Dropbox) to conceal or obfuscate their malicious traffic, making it challenging for network security tools to detect their malicious activities. In addition, messaging and collaboration apps such as Telegram, Slack, and Trello are being used to blend command and control communications within normal traffic.
Advertisement. Scroll to continue reading.
HTML Smuggling is a technique where adversaries “smuggle” malicious scripts within carefully crafted HTML attachments. When the victim opens the HTML file, the browser dynamically reconstructs and reassembles the malicious payload and transfers it to the host OS, effectively bypassing detection by security solutions.
Innovative Phishing Evasion Techniques
Threat actors are always evolving their tactics to prevent phishing pages and websites from being detected by users and security tools. Here are some top methods:
- Top Level Domains (TLDs): Domain spoofing is one of the most widespread phishing tactics. Using TLDs or domain extensions like .app, .info, .zip, etc., attackers can easily create phish-friendly, look-alike websites that can dodge and confuse phishing researchers and anti-phishing tools.
- IP Evasion: It only takes one visit to a phishing website to lose your credentials. Seeking an edge, researchers will visit and play with the website multiple times. In response, threat actors log the visitor IP addresses so when that IP tries to access the website multiple times, the phishing content is blocked.
- Proxy Check: Victims seldom use proxy servers because they’re not very advanced. However, security researchers use proxy servers to analyze malware or phishing websites. When threat actors detect the victim’s traffic coming from a known proxy list, they can prevent them from accessing that content.
- Randomized Folders: When phishing kits first surfaced on dark web forums they were equipped with a specific folder structure which security analysts could track and block. Modern phishing kits now create randomized directories to prevent identification.
- FUD links: Most anti-spam and anti-phishing solutions rely on domain reputation and score the URLs of popular cloud-based services (such as GitHub, Azure, and AWS) as low risk. This loophole enables attackers to exploit a cloud provider’s domain reputation and create FUD (fully undetectable) links that can spread phishing content and evade detection.
- Use of Captcha and QR Codes: URL and content inspection tools are able to inspect attachments and URLs for maliciousness. As a result, attackers are shifting from HTML to PDF files and incorporating QR codes. Since automated security scanners cannot solve the CAPTCHA puzzle challenge, threat actors are using CAPTCHA verification to conceal malicious content.
- Anti-debugging Mechanisms: Security researchers will often use the browser’s built-in developer tools to analyze the source code. However, modern phishing kits have integrated anti-debugging features that will not display a phishing page when the developer tool window is open or it will initiate a pop-up that redirects researchers to trusted and legitimate domains.
What Organizations Can Do To Mitigate Evasion Tactics
Below are recommendations and effective strategies for organizations to identify and counter evasion tactics:
1. Reduce the Attack Surface: Implement zero trust, utilize network segmentation, isolate critical assets, restrict privileged access, patch systems and software regularly, deploy granular tenant and action restrictions, utilize data loss prevention (DLP), review configurations and misconfigurations.
2. Proactive Threat Hunting: Operationalize security teams and tools to proactively search for threats across users, networks, endpoints and cloud services. Deploy a cloud-native architecture such as Secure Access Service Edge (SASE) for detecting threats and analyzing network traffic across infrastructure and workloads without having to deploy agents.
3. Setup Multiple Choke Points: Establish multiple choke points and defenses along the threat actor’s kill chain, employing diverse techniques across multiple attack stages. Rather than overcomplicating the security infrastructure, opt for a platform-based approach or unified interface capable of inspecting all network traffic and each packet to identify malicious content.
4. Phishing Training: Provide security awareness training. Educate users to identify, block and report phishing and social engineering attempts. By enhancing employees’ ability to identify phishing ploys, organizations can mitigate the initial stage of multi-staged attacks.
Relentless in their methods, attackers will continue employing evasion tactics to circumvent traditional security measures. But by adopting best practices for attack surface reduction, proactive threat hunting, setting up multiple choke points, and monitoring the entire IT estate without manual intervention, organizations will be able to mount a swift response to evasive threats.