Remember, “Where's Waldo?” Like most of us, you probably would have spent a few minutes trying to spot the tall lanky fella in a crowded photo, and eventually would have been successful. Detecting hidden malware can feel like a similar challenge—often obfuscated and embedded deep within files, attachments, and images. Hidden malware has always been difficult to detect and prevent, but as cybercriminals advance their techniques, it's only getting harder.
Imagine if Waldo wasn't wearing his signature red and white striped shirt, hat, and glasses. What if he looked exactly like everyone else and you had to figure out who he was? That's synonymous with the state of hidden malware today. Cybercriminals have gotten so creative with their delivery of malware and ransomware that they have learned how to embed it within normal data, setting a trap for unknowing users.
One of the first steps in protecting yourself against malware is understanding where hidden threats and vulnerabilities reside. Then, you can plan for how you will unmask their identity before they penetrate your network.
Common Hidden Malware Techniques
Wouldn’t it be nice if you opened an email or clicked on a link and it said ‘Warning, do not proceed, there is malware inside.’ Unfortunately, that’s not the reality, which is why you have firewalls, antivirus, secure gateways, sandboxes and EDR tools. It’s the job of these systems to determine, or best predict, what is malicious and what is not. On the other hand, bad actors are analyzing these tools to exploit weaknesses or gaps in their coverage areas, allowing them to sneak right past. Over the years, cybercriminals have become scary good at concealing malware so that these tools don’t even realize what is right in front of them. Common techniques include:
- Trojan Horse Malware. These programs appear completely harmless because they are disguised as legitimate, but malware is activated when the program is executed. You’re probably more familiar with trojan malware than you may realize—Emotet, Qakbot and other notorious malware families are forms of trojan malware. These can come in a variety of formats, like banking trojans that seek out financial data, but the end goal is the same—steal data to sell on the dark web or encrypt for ransom.
- Steganography. Steganography is when malicious code is embedded deep within seemingly innocent images or media files. We’ve seen instances of steganography used within James Webb telescope images, PNG files and GIFShell attacks. Media files are typically viewed as more innocent than Word, Excel, or PDF files, which are infamous for being compromised. Hackers can also embed malicious code deep within pixels that no human eye, or even security technology, can spot. It would be like finding a needle in a haystack... or Waldo in a sea of red and white.
- Watering Hole Attacks. I’m quite sure we’ve all seen National Geographic documentaries depicting hyenas that prey on antelopes at the watering hole. They do this because they know where their desired victims gather. The same concept applies to malware campaigns. Cybercriminals study you, and your peers, so they know what websites you are visiting, what language you use and what programs you interact with. In watering hole attacks, bad actors compromise trusted websites that are frequently visited by their target audience to distribute malware. This has been a prominent attack method targeting those within the APAC region. In 2021, Google researchers warned of watering hole attacks targeting Hong Kong citizens, which was predated by a series of watering hole attacks on numerous Southeast Asian websites.
- We cannot talk about hidden malware and not address malicious macros. Exploiting macros has been a long-favored technique amongst cybercriminals. They embed malicious code within macros in Excel files that execute upon opening the document. A lot of file scanning tools can’t analyze the code within macros, allowing the malware to slip through. Coupled with the fact that utilizing Excel files is a critical job function for many end users makes this a perfect attack method. The exploitation of Excel macros became so prominent that Microsoft itself issued a default block of macros, and there are now a variety of tools in the market, like Content Disarm and Reconstruction, that can spot malware within these programs.
You Can Run, But You Can’t Hide
These are just a few examples, but there is a plethora of ways that hackers can conceal malware. The challenge remains the same—how do you unmask an identity if it’s invisible to the naked eye and undetected by technology? You need to think of your security stack as a system of checks and balances. No one security solution is all-powerful and can thwart every type of threat out there – we can dream though, right? Combatting the trickiest and sneakiest attacks requires a multi-faceted approach. Let’s go back to our “Where’s Waldo” analogy.
First, you ‘detect,’ which means that you are looking for known malware signatures. This would be like uncovering Waldo wearing his signature costume. If Waldo’s sporting his notorious shirt, hat, and glasses, then a detection-based approach will suffice.
Let’s say Waldo’s not in his traditional guise; how would you find him now? That’s when you’d focus on ‘disarm.’ You’d interrogate every single individual and determine if they are, in fact, Waldo. If they’re not Waldo, then they can pass through. If they are Waldo, then they stay put. The key component of ‘disarm’ is the interrogation and deep analysis of every single component.
Lastly, further analysis needs to occur. It’s not enough that you found Waldo in disguise—now you need to understand how he disguised himself so you can identify him more easily in the future. Did he dye his hair? Was he wearing contacts? When analyzing malware, you need to know what the threat is and what characteristics or behaviors it has. This will equip you with the knowledge needed to know what’s targeting your ecosystem so you can better protect enterprise systems, networks, and valuable assets from known and emerging threats.