Advance Malware is Very Good at Hiding

Advanced malware continues to play a significant role in many attacks targeting organizations today. Malware authors continue to develop new techniques that bypass both traditional and “next-generation” security tools, like firewalls, IPS, and sandbox technologies, leaving your systems and data at risk. Evasive malware can easily escape detection by “advanced” security technologies by altering its behavior or adopting one or more evasion tactics.

Evading Signature-Based Detection

Malware authors easily alter the signature of their code to avoid detection. Because security tools examine the internal components of an object to generate a signature, modifying even a single bit in any of the malware’s components changes the object’s signature. Some of the malware tools on the dark web enable payload-changing capabilities with a simple check box to foil signature-based systems.

Evading Sandbox-Based Technologies

Advanced malware is engineered specifically to detect when it is running in most sandboxes on the market. The malware avoids taking any malicious actions to evade detection while in the sandbox, allowing it to enter your network and initiate its malicious behavior. The reason why advanced malware can bypass most sandboxes is that they typically utilize virtual machine (VM) environments. VM technologies insert artifacts, which allow advanced malware to discover that it is running in a virtual environment. These artifacts include additional operating system files and processes, supplementary CPU features, and other components necessary for the virtualization to work.

Advanced Malware Evasion Techniques – Advanced malware also avoids detection by sandboxes or other security controls by altering its behavior and adopting one or more of the following evasion tactics:

Stalling Delays

The malware simply does nothing for an extended period. Typically, 10 minutes is sufficient for most sandboxes to timeout and assume the object is benign.


The malware splits into several components that only execute when it is reassembled.


The malware hides malicious code in the lower layers of the operating system where conventional sandbox technology can’t see it.

Suspended Activities

The malware postpones these malicious actions while it is operating within a sandbox:

  • Injection or modification of code within other applications
  • Establish persistence and download additional code
  • Move laterally across the network
  • Connect to its C&C servers
User Action Required

The malware avoids doing anything malicious until a user performs a specific action (e.g., a mouse click, pressing a key, opening or closing a file, or exiting the program).

ROP Evasion

Return-Oriented Programming (ROP) is when malware injects functionality into another process without altering the code of that process. This is achieved by modifying the contents of the stack, which is the set of memory addresses that tell the system which segment of code to execute next.

Fileless Malware

Another advancement criminals have made is malware that doesn’t reside in a file. What makes fileless malware detection so challenging is that these threats reside entirely in memory and remain hidden from most advanced malware detection tools. The most sophisticated versions of fileless malware also are able to completely disappear after reaching their objectives. By operating in such a way that nothing is ever written to disk, and then wiping themselves from memory when done, this ultra-evasive type of malware is extremely difficult to detect.

To learn more about how advance malware avoids detection, please download our white paper

White Paper

Deep Content Inspection Detects Advanced Malware

Lastline Defender™ detects advanced malware that can easily evade sandboxes and other advancedsecurity controls. These products can only monitor the interaction between an object and the operating system, which significantly limits their visibility into malicious behavior. This means they cannot see what is occurring within the malware itself, nor in other programs, operating system, or kernel functions.

Lastline’s Deep Content Inspection™ technology imitates a complete operating system and hardware environment.This enables 100 percent visibility into the malware, all programs and services it invokes, all operating system functions, and all kernel activity. It analyzes the actions of everything that occurs, including all CPU instructions, memory locations accessed, devices used, and network connections.

This visibility means malware can’t execute a behavior that we can’t see. Deep Content Inspection enables Lastline to detect malware actions that other technologies miss, such as:

  • Internal stalling that a sandbox can’t observe
  • Malicious actions performed by the operating system or rootkits
  • Encryption of communication with C&C infrastructure
  • Return Oriented Programming (ROP)
  • Fragmentation of malware into different files that only execute when reassembled
  • Anomalies in the behavior of the object or system that may indicate an evasion technique

In addition, Lastline Defender:

  • Remains Hidden from Malware – Unlike sandbox technologies that rely on virtual machine technology that advanced malware can detect, Deep Content Inspection looks like a complete host. This makes it very difficult for malware to discover.
  • Is Not Dependent on Signatures – Deep Content Inspection relies on behavior analytics and not signatures. It’s effective against zero-day and other unknown variants of older attacks where signatures don’t exist.
  • Has No Dependencies on Specific Versions of O/S or Applications – Many sandbox products require the installation of specific versions of applications to detect malware that could exploit those versions. Deep Content Inspection sees exploit preparation regardless of the version of the application being targeted. It can detect malicious behavior without creating sandbox images of every possible combination of O/S and applications.
  • Analyzes Dormant Code– Sandboxes can’t detect a malicious block of code in the malware if it doesn’t execute during the analysis period. Deep Content Inspection can detect dormant functionality because it statically matches and correlates patterns of code with known malware. This capability enables the detection of functionality that would be executed under certain conditions, but the execution path invoking the behavior is not taken during analysis.

Learn More –Watch our webinar on how to protect your network from Malware that’s designed to evade detection.

World-Renowned Innovator Turns to Lastline to Help Protect Global Infrastructure
Lastline, a key component in the company’s security architecture since 2014, exposes the intentions of malicious files and URLs without risk to the company’s dynamic infrastructure.
Case Study
Major University Chooses Lastline for Quality of Detection, Ease of Use, and Intuitive Interface
Read why this university chose Lastline to protect students’, faculty’s, and staff’s PII plus the university’s research and intellectual property in an open network environment.
Case Study