The most prevalent malware behaviors and techniques

An analysis of 100,000+ Windows malware samples has revealed the most prevalent techniques used by malware developers to successfully evade defenses, escalate privileges, execute the malware, and assure its persistence.

Malware tactics and techniques

The analyzed malware samples were most often delivered via malicious email attachments featuring macro-enabled documents, Windows shortcut files (LNK), ISO/VHD containers, and MSI installers.

It should now come as a surprise that defense evasion is by far the most common tactic employed by malware, as its effectiveness is contingent upon not getting blocked and/or noticed by security solutions and security teams.

“[The primary defense evasion techniques] are associated with code injection, defense tampering, masquerading, and system binary proxy execution,” Samir Bousseaden, a detection engineer with Elastic Security Labs, has noted.

Currently popular sub-techniques include:

• DLL side-loading
• Parent PID Spoofing
• Abuse of system binary proxies
• Masquerading as legitimate system binaries
• Use of malicious MSI installers
• Tampering with Windows Defender
• Process injection (of legitimate system binaries) and self-injection
• NTDLL unhooking (to bypass security solutions reliant on user-mode APIs monitoring)

Privilege escalation is most often achieved via access token manipulation, Bousseaden found.

Execution through privileged system services, bypassing User Account Control, mimicking trusted directories, and the use of vulnerable drivers are popular techniques.

Malware is often executed by taking advantage of Windows’ default command and scripting languages (PowerShell, Javascript, VBscript), though “there has been a slight uptick in the shift towards using other third-party scripting interpreters like Python, AutoIt, Java and Lua.”

Attackers also like abusing Windows Management Instrumentation (WMI), a legitimate IT administration tool, to execute malicious payloads.

To make sure the malware keeps a foothold on compromised Windows machines, malware creators most often make it:

• Create scheduled tasks (to make it run at specific times or after a specified time interval)
• Use Registry run keys or add a program to a startup folder (to make the malware execute when the user logs in)
• Create a Windows service (to repeatedly execute the malware on the system)

Insights can help improve detection

While acknowledging that the malware dataset they analyzed is limited in size, engineers can still use the findings to improve malware detections, Bousseaden noted.

Many of the spotted behaviors are similar to those typical for legitimate software, so defenders should combine multiple detections for specific behaviors and additional signals to reduce false positives, he concluded.