Malicious Malware Evasion Techniques


Organizations today are up against a sophisticated enemy. Gone are the days where the biggest malware threats were simple “spray and pray” attacks that were generic in content and relatively easy for security providers to identify and block. Today’s threats are led by state actors, highly resourced criminal gangs, and others dedicated to creating successful attacks. And it’s not just large businesses that are at risk. Attackers’ leverage is on SMBs not investing heavily in security to penetrate them, either as targets themselves or as a way into more significant, more targeted organizations, such as the SMB’s vendors, customers, or partners.

The fallout from attacks is more consequential than ever before. Mass data breaches and ransomware attacks that last for days can incur significant legal, financial, and reputational damages. We’ll explore the latest tactics these malicious groups use, specifically when it comes to the techniques they leverage to evade common security solutions. Increasing your knowledge about security threats, common evasion techniques, and the tools available to combat them will enable you to effectively deal with current and future attacks on your business.

Types of attacks

Email is the most frequently used channel to deploy the dangerous payloads that create havoc. We will specifically address attacks through this email channel, which can essentially be divided between links and files.


  • Exploits: the user enters a dangerous page that can exploit the browser and gain control over the entire system
  • Phishing: the user is manipulated into sharing sensitive information or downloading malicious software
  • Exploits: documents that appear legitimate, that exploit applications such as Microsoft Word or Adobe Acrobat
  • Macros: the user is manipulated into running special document capabilities, which can gain control of an entire system

NOTE: Phishing emails are the leading cause for ransomware attacks, with 54% of MSPs selecting it as the top cause of ransomware attacks.

The Evolution of Evasion Techniques

Evasion techniques have evolved significantly over the years At first, it was enough to send a malicious document to gain remote access. As security products evolved; however, the attackers evolved and began introducing various evasion techniques to combat the checks performed by security products.

From around 2010 to 2018, it was common for attackers to exploit specific application vulnerabilities. Well-known examples of these include CVE-2012-0158, CVE-2017-0199, CVE- 2017-11882, CVE-2018-4878, and CVE-2018-5002.

These zero-day attacks (i.e., attacks leveraging vulnerabilities not yet commonly known or not yet mitigated against) were hard to detect. Additionally, both static and dynamic evasions were used to make the attack even stealthier and more effective.


Most common, these attacks were hidden in the shellcode, encrypted inside the sample, and decrypted only at run-time – so static mechanisms missed it completely.


These types of attacks would dynamically check for debugging and user activity by sending connectivity checks to check whether there is a VM or sandbox environment. Moreover, dynamic evasion can also be seen in the form of delayed or hidden attacks, for example, by having the initial dropper sleep for 10 minutes before anything happens or using thread injection to run from a different process.

Early attack stages checked the OS and product versions to check compatibility – and only then got the exploit itself from the remote server, thus avoiding crashes.

VBA Macros

VBA macros have been a well-known Excel feature for years. However, their usage for malicious activity recently gained popularity – a popularity that has increased in correlation with the decrease in exploits found.

This is primarily due to:

  • New products being developed with a focus on security
  • The development of frameworks to ensure there is less scope for developer mistakes
  • Faster product updates

When taken together, this makes the vulnerability research that attackers need to carry out much more complex – so it makes more sense to use simpler attack mechanisms such as macros.

Over the last three years, most Microsoft Office-oriented attacks have been based on macros. It’s simply a VBA code that can interact with the OS to gain control over the system. And again here, it’s the same concept. As security products get better, the attackers and the attacks themselves get stealthier.

For attackers, the cost-effectiveness of zero-day attacks decreased over time. Macros, on the other hand, are easier to develop and have been highly effective. Moreover, they are easier to adjust if they’re caught to ensure that the next attack succeeds.


Ransomware can be deployed with a download, a macro within a well-known file type, or in many other creative ways. The most common ransomware types begin encrypting data immediately, quickly spreading like wildfire across the network. A company can be completely locked out of its systems almost immediately, and ransom amounts have increased rapidly. Even large organizations often pay the ransom (in the tens of millions of dollars), showing how effective these attacks are and how difficult they are to recover from once initiated. Datto’s State of the Channel Ransomware Report found that 70% of MSPs report ransomware as the most common malware threat to SMBs.

Ransomware attacks can result in considerable business downtime. If it goes undetected, it won’t take long for numerous user devices, servers, and even data in SaaS applications to become encrypted. The consequences from ransomware listed below highlight the need for MSPs to get their end users back up and running fast.

Other Malware Types

Other malware types such as spyware can give attackers – and potential rivals – a window into your organization without being detected. Malware can also be used to corrupt files, access sensitive data, and numerous other undesirable outcomes. There is also a disturbing trend where one type of malware, once achieving a foothold in a device, will download and run a different kind of malware – so a banking trojan, for example, will later run a ransomware attack.

Top Recent Evasion Techniques for Ransomware

Ransomware. The word itself is enough to strike fear into the hearts of a security professional. But as we mentioned at the beginning of this piece, knowing the latest evasion techniques is the first step in protecting your organization. Ensuring only real users get attacked One of the ways attackers are getting smarter is by ensuring that their weaponized payload isn’t intercepted before it gets into the victim’s inbox. As we saw previously, attacks can be personalized and hyper-targeted, so attackers cannot see these efforts wasted. They also do not want security products to pick up their digital signatures or methods. Attackers, therefore, go to great lengths to evade security solutions. For example, they will check for a sandbox or virtual machine environment, detect any scanning taking place, or even check for clues like a sound card. Then they will act accordingly – such as only fetching a payload once it has been confirmed that it’s a real machine/user on the receiving end.

Protect Yourself Against Sophisticated Attacks

A different approach is needed to recognize this new threat and address it – truly keeping organizations safe against the latest and most nefarious threats.

SaaS Defense brings this different approach to threat detection. One that can stop malware of any type at first encounter: from phishing to BEC, N-day to zero-day – with no dependencies on knowledge of past threats.

With the stakes so high, attackers will do anything to avoid detection and take advantage of their victims. Ensure you have the capabilities in place to protect yourself against these threats.