Four Sneaky Attacker Evasion Techniques You Should Know About
Remember those portrayals of hackers in the 80s and 90s where you just knew when you got pwned? A blue screen of death, a scary message, a back-and-forth text exchange with a hacker—if you got pwned in a movie in the 80s and 90s, you knew it right off the bat.
What a shame that today’s hackers have learned to be quiet when infiltrating an environment. Sure, “loud” attacks like ransomware still exist, but threat actors have learned that if they keep themselves hidden, they can usually do far more damage. For hackers, a little stealth can go a long way. Some attack tactics are inherently quiet, making them arguably more dangerous as they can be harder to detect. Here are four of these attack tactics you should know about.
1. Trusted Application Abuse
Attackers know that many people have applications that they inherently trust—making those trusted applications the perfect launchpad for cyberattacks. Threat actors know that defenders and the tools they use are often on the hunt for new malware presenting itself in environments. What isn’t so easy to detect is when the malware masquerades under legitimate applications.
Fileless malware is a great example of trusted application abuse. No new malware is installed on the system in the case of fileless malware (hence its name). Instead, the malware works to mess with applications you know and trust, ultimately taking control over them and using them to perform malicious activity.
And that’s what makes trusted application abuse one of the sneakier evasion tactics.
2. Trusted Infrastructure Abuse
Much like trusted application abuse, trusted infrastructure abuse is the act of using legitimate, publicly hosted services and toolsets (such as Dropbox or Google Drive) as part of the attack infrastructure.
Threat actors know that people tend to trust Dropbox and Google Drive. As a result, this makes these tools a prime means for threat actors to carry out malicious activity. Threat actors often find trusted infrastructure abuse easy because these services aren’t usually blocked at an enterprise’s gateway. In turn, outbound communications can hide in plain sight.
This unfortunately makes it that much easier for bad actors to establish persistence in an environment, which we’ll talk about shortly.
Although cybersecurity has more than its fair share of tedious acronyms, the good news is that many terms can be broken down by their generic dictionary definitions.
According to dictionary.com, this is what obfuscate means:
“To make something unclear, obscure or difficult to understand.”
And that’s exactly what it means in cybersecurity: finding ways to conceal malicious behavior. In turn, this makes it more difficult for analysts and the tools they use to flag suspicious or malicious activity.
For example, one attack tactic we see often in the field is burying malicious code inside an unsuspecting file. You think you’re opening up a PDF (.pdf), but you’re actually opening up an executable (.exe) that runs malicious code in the background. This is one form of obfuscation because you’re being tricked into opening an executable under the guise of a harmless PDF.
Imagine writing up documentation using your computer—something you may well do in your role. You’ve spent a ton of time doing the research required, finding the right sources and compiling all your information into a document.
Now, imagine not hitting save on that document and losing it as soon as you reboot your computer.
Sound like a nightmare—or perhaps a real anxiety-inducing experience you’ve been through before? Threat actors agree.
And that’s why they establish persistence. They don’t want all of their hard work to get into your systems in the first place to be in vain just because you restart your computer. They establish persistence to make sure they can still hang around even after you reboot.
Although we’ve expanded our offerings here at Huntress, persistence was our bread and butter when we were first established. That’s because so many tools focused on preventive measures but not quite on what happens once threat actors do make their way through. And let’s be real—it’s only a matter of time before they outsmart today’s best tools.
Want to learn more about defense evasion? Check out our blog series where we open up the Huntress vault to explore some defense evasion techniques we’ve seen in the wild.