An IT Support Blog from London

Read the latest IT news, tips and insights from IT Support pros at HTL Support

4 minutes reading time (889 words)

What is Evasive Malware and How Big a Threat is It?

what is evasive malware

How do you eliminate a threat if you don’t know it’s there? Threat actors are increasingly incorporating evasive tactics into their malware, and traditional cyber security solutions are having a hard time detecting them. The moment you realise you’ve been attacked by an evasive malware, your systems would have long been compromised.

It’s important to know your adversary and understand how they operate in order to formulate appropriate countermeasures. That’s why we’re publishing this blog post. We hope to educate you about evasive malware, what they are, what level of threat they pose, what evasive tactics they employ, and what you can do to prevent them from taking hold of your systems.

What is an evasive malware?

evasive malware

As its name implies, an evasive malware is any kind of malware that avoids detection by antivirus software, EDRs (Endpoint Detection and Response solutions), XDRs (Extended Detection and Response solutions), and other cyber security solutions. An evasive malware does that by employing various tactics such as sandbox evasion, process injection, time-based evasion, Office macros, living-off-the-land, obfuscation, and many others.

We’ll discuss a few of these evasion techniques later in this article, just to give you an idea on how these miscreants manage to avoid detection.

Just how big a threat are evasive malware?

evasive malware

Depending on a malware’s “actions on objectives” or main goal—whether it be data theft, sabotage, encryption, etc.—a malware can take a few seconds or months to achieve whatever it’s been programmed to do. Regardless of what that goal is, it would take time to complete. Thus, the longer a malware can stay under the radar, the higher its chance of achieving that goal.

That’s why evasive tactics are so lethal; they allow malware to buy enough time to complete their goal. No matter how good your cybersecurity solutions are in eliminating threats, if they can’t detect those threats in time, your organisation is going to sustain significant damage. For example, if the malware’s actions on objectives is to steal personal data, you could end up with a lawsuit and a penalty-inducing data breach in your hands.

Common evasive tactics used by malware

Common evasive tactics

Malware authors have a variety of evasion tactics in their toolbox. Here are two of the most widely used.

Sandbox evasion

The most common evasion tactic is perhaps sandbox evasion. In the context of malware detection, a sandbox is a sort of isolated holding area for unknown files that have just been introduced into a system. It’s used by many cybersecurity solutions. These solutions put unknown software in there and then analyse it for signs of malicious behavior. If the software in question exhibits malicious behavior, it’s considered malware and appropriate actions (e.g., file deletion, quarantine, etc.) are taken.

While sandboxes work well against regular malware, they’re ineffective against malware types with sandbox evasion capabilities. An evasive malware can scan their surroundings for signs of a sandbox and just lie in a state of hibernation until the sandbox times out. A file can’t be kept in a sandbox forever because there are always other files to analyse. So, when a sandbox times out for an evasive malware, that malware can then get out of hibernation and run its attack.


Obfuscation is an evasion tactic that malware uses to counter signature-based malware detection. In signature-based malware detection (which is the kind of detection traditional antivirus software used to employ in the past), an anti-malware software compares the signature of an unknown file with known malware signatures in its database. If a signature matches, that unknown file is considered malware.

Evasive malware that use obfuscation alter the contents or makeup of their file (i.e., through encryption, packing, coding, etc.) in order to make them undetectable by signature-based anti-malware solutions. When these solutions scan an obfuscated malicious file, they won’t be able to recognise the file as malware.

Tips for countering evasive malware

countering evasive malware

While evasive malware are hard to detect, they’re not completely unstoppable. Here are some of the things you can do to prevent them from establishing a beachhead in your systems.

Exercise proper patch management

I know this sounds cliché, but patching can actually mitigate the risk of a malware infection. Yes, even if you’re dealing with evasive malware. Before any kind of malware can infect your system, it would need a way of getting there—e.g., a trojan sent via email, social engineering, phishing, or, yes, an exploited vulnerability on unpatched software. By patching your systems, you can prevent evasive malware from infiltrating your system through vulnerability exploits.

Using cyber security solutions that work on evasive malware

While a large majority of cyber security solutions are ineffective against evasive malware, there are a few exceptions. Minerva Labs and Cyren are two of them. You can purchase these solutions to bolster your defenses against evasive malware.

Hire an IT support service provider with cyber security expertise

Some organisations don’t have the in-house talent to deploy, configure, and manage a cybersecurity solution. Small businesses, for instance, usually don’t have dedicated IT teams to begin with. If you’re in that kind of situation, you can hire an IT support provider with cyber security services to help you out.

The right provider can take charge of choosing the right solution as well as deploying and administering it. The right support provider can even offer supplementary guidance for countering evasive malware.

6 Reasons Why You Should Improve Your Cloud Securi...
How the Pandemic and Its Aftermath Boosts the Case...

Related Posts

By accepting you will be accessing a service provided by a third-party external to