June 18, 2024 | Text: Markus Selinger | Antivirus for Windows

Disguise and deception – how brand-new malware attacks are carried out on Windows systems

Cyberattackers are constantly seeking and finding new ways to attack Windows systems. That is why the team from AV-TEST, in its Advanced Threat Protection tests, examines whether the current protection programs also detect the latest attack techniques. In cases where they do not, the attackers load malware lightning-fast and launch it. In the latest test, the experts subjected the systems to the most recent malware 10 times. However, the attackers come disguised and concealed in MSI packages, executed via script interpreters, swapping out the main components in a process or combining the techniques. 21 products for consumer users and corporate users face off against difficult tasks involving stealth attacks. The outcome shows that some vendors do a perfect job. But the test also demonstrates that some products cause unnecessary suspense, yet in the end come out on top against malware.

Disguised malware attacks Windows –

the Advanced Threat Protection test examines the ability of 21 products to defend against data stealers and ransomware

Most cyberattackers do not openly send ransomware to the systems they are attacking. Rather, they seek means and ways to obfuscate their malware or somehow distribute them piggyback. The security products need to detect all of these tricks or even anticipate new ones. But regardless of how they do so: at the end of the day, the attacks have to be thwarted.

Taking part in the test were the consumer user products of the following vendors: Avast, AVG, Bitdefender, ESET, F-Secure, G DATA, McAfee, Microsoft, Microworld, Norton, and PC Matic.

The following vendors were in the line-up of solutions in the test for corporate users: Avast, Bitdefender (with 2 versions), Check Point, ESET, HP Security, Kaspersky (with 2 versions), Qualys, and Symantec.

21 products against ransomware and data stealers

While classical detection tests involving security products only examine whether a malware sample is detected or not, the Advanced Threat Protection test (ATP) goes a vital step further. In ten scenarios, the testers stage attacks exactly as they occur in reality. In the latest test, the experts try 5 times to place ransomware and 5 times to execute a data stealer or info stealer. To do so, they harness the following attack techniques to disguise and deceive in their attacks:

Consumer user products in an advanced test

The latest ransomware and data stealers use clever techniques and disguise methods when attacking Windows systems. The Advanced Threat Protection test shows how reliably security solutions fend off attacks

Company products in the advanced test

The 10 solutions for Windows systems in corporate user environments exhibited strong performance in the test. There were a few defensive reactions that occurred in subsequent steps, but overall no malware was able to gain the upper hand

Consumer user products in an advanced test

Company products in the advanced test

Bring a scripting interpreter: Attackers often try to use script interpreters such as WScript or PowerShell to launch malware scripts. However, many protection programs are aware of this, so they monitor the interpreters, as well as their inputs and outputs, accordingly. A new variant is the attack with harmless software interpreters, such as AutoHotkey (AHK). A script installs the interpreter and then executes an AHK script, which loads ransomware or an info stealer into the Windows system. This is precisely the attack variant that was also used in the test scenarios.

Microsoft Software Installer: MSI (Microsoft Installer) is a Windows installation package format that provides an application to be installed, complete with necessary data and control commands in one package for the consumer user's computer. Cybercriminals conceal malicious files in an MSI file and specify control steps. This leads to a variety of options, with which computers of the victims can be infected. The complexity of MSI files can make it difficult to detect malicious installation programs.

In our examples, MSI installation programs are used to provide several files on the hard drive, including decoy and malicious files. After placing the files, a user-defined action is used to launch the malware code. The actual installation sequence is later simply aborted, as it was only needed as a disguise.

Reflective code injection: In the reflective code injection, the code is loaded into the memory of a process. In this manner, reflective code loading can bypass process-based detection methods by concealing the execution of malicious code within a legitimate and harmless process. This type of code injection is therefore also fileless, as it only injects the code into a process.

In our examples, an AutoHotkey script loads the malware payload directly into the main memory and launches it, whereby an info stealer program or ransomware is executed.

In the ATP test, all the detection and defensive steps are recorded in a matrix according to the MITRE ATT&CK standard. In the case of ransomware, there are three essential steps to detect, for data and info stealers there are four actions. Per step or action fended off, the lab awards a half or full point. This means that a product can earn 3 points five times for each detected and liquidated ransomware sample, and 4 points five times for the info stealers. Thus, the highest value in the protection score is 35 points.

The ten test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.

The ATP test and its results: consumer user products

The striking outcome in this test was the fact that all products for consumer users detected the attackers without exception. However, only 7 out of the 11 products detected all the malware in the first steps, "Initial Access" or "Execution", receiving the full 35 points as their protection score: Bitdefender, G DATA, McAfee, Microsoft, Microworld, Norton, and PC Matic.

The additional 4 protection packages had problems with ransomware and info stealers: Thus, Avast and AVG detected the attackers, but could not stop them completely in 4 instances in the first steps. Only additional internal protection functions were then able to stop the malware in all instances, so that no damage occurred. For this, however, the products received a point deduction, each scoring only 30 out of 35 possible points.

F-Secure had similar issues, but in 6 out of 10 scenarios. Here as well, the subsequent internal protection functions safely kicked in, such that in the end the danger was averted and no damage occurred. However: after point deductions in 6 scenarios, only 28 out of 35 possible points remained.

While the protection package from ESET received 30 out of 35 points, in the end it was defeated by ransomware, despite detection of the attack – the data was encrypted! In an additional instance, an info stealer was able to proliferate, despite detection, but it was held up in later steps by an internal protection technique.

All protection packages earned the “Advanced Certified” certificate in the ATP test. Despite perfect performance, G DATA did not receive this accolade, as only products certified in the regular monthly test and fulfilling all the criteria receive a certificate.

The ATP test and its results: corporate solutions

The outcome among the solutions for corporate users in the ATP test was excellent for most of the products: 8 out of the 10 packages in the test achieved perfect results and were awarded the maximum total of 35 points as their protection score: Bitdefender (with 2 versions), ESET, HP Security, Kaspersky (with 2 versions), Qualys, and Symantec.

While the product from Avast detected all 10 attacks, it did not initially stop the ransomware and the data stealers in 2 instances each. Only in the subsequent steps were the attacks thwarted by internal protection techniques, thus preventing any damage. The protection score was 30 out of 35 points after point deductions due to the initial walls of defense being defeated.

The solution from Check Point had a similar outcome as Avast, but in 6 instances. Here, as well, the solution with advanced protection techniques was able to stave off the attackers in the next steps, and no damage was done. Naturally, the lab makes a point deduction in such cases: As a result, there were only 28 out of 35 points earned for the protection score.

All products received “Advanced Approved Endpoint Protection” certification, as they achieved 75 percent (at least 26.5 points out of 35 points) for the protection score.

Fierce digital battles and victorious defenders

The test involved 21 products in 10 scenarios each. In 209 out of 210 cases, there was no damage inflicted by the malware. While the majority of the products for consumer users and also many for corporate users detected, blocked and eliminated the attackers, some of the products created unnecessary suspense. But even these packages and solutions were able to quickly iron out their initial missteps and, using additional internal protection functions, prevent the attackers from wreaking destruction. Only in the 210th test run, involving ESET, things did not turn out well. In the end, the Windows system was encrypted.