Malware Evasion Techniques Used by its Creators

Cybercriminals are always looking for new ways to become invisible to threat detection. The more security systems advance, the more complex their evasion techniques become. These evasion techniques can hide malicious indicators and behavior from detection. There are many techniques threat actors use, such as data encryption, obfuscating and injection. Here are just some of the evasion strategies they use, which they may even use in combination. 

Sandbox evasion

Sandboxes are a challenge for malicious programs. Businesses use sandboxes to provide malware with a place to ‘act’ while they perform application-level checks. Dynamic scanning is the process of detonating URLs and files in an isolated environment to detect the execution of malicious code. Now malware can be programmed to detect sandbox user names. Anti-sandboxing means malware can detect when it is analyzed and hold off on executing until it is out of sight. 

Challenges in preventing malware attacks include the use of traditional sandboxes, which result in low detection rates of malware. Legacy sandboxes don’t offer complete protection because bad actors know how to evade dynamic scanning. Perception Point has threat detection software solutions that use a next-generation sandboxing approach. 

Timing-based methods

Some malicious programs have delayed execution times so they can avoid detection inside virtual machines. The malware stays idle, so it defeats timer-based recognition. If the malware performs the delay internally without calling the OS sleep function, sandboxes can’t detect the evasion. 

  • Extended sleep: Malware can stop execution and escape sandbox analysis by calling for an extended sleep of about 10 minutes. 
  • Logic bomb: The malware schedules its execution for a certain date and time. 

Some popular banking Trojans wait for an internet browser to launch and redirect to a bank’s website. Only then does the program wake up and apply a credential API hook sub-technique to capture user input. 

User action-required delays

This tactic delays the malicious activity until a specific user action, such as a mouse click or opening a file or app, takes place. The malware is developed to execute on detecting the action. Most sandboxes don’t detect malware waiting on user action. 


Using this technique involves splitting the malware into fragments. They only execute when the targeted system reassembles them. Virtualized sandboxes typically look at each fragment separately, and they do not appear harmless on their own. 

Code obfuscation, encryption or compression

Packers will encrypt, compress or change the format of the malicious file to avoid detection. This is a very popular technique because it makes it difficult to reach the original code and analyze it. The malicious content is buried deep inside files. Encryption prevents detonation in basic sandbox solutions and scanning of content.

A form of obfuscation is to trick users into opening an executable under the guise of a harmless PDF. Opening up the executable runs malicious code in the background. 

Antivirus software uses databases containing previously reported files to identify a file signature. If they find it in the database, they identify it as malware. Today bad actors can easily evade detection by modifying code, so it receives a new signature and is not detected. Any type of malware not in the database won’t be detected which negatively impacts your digital security measures.

Return-oriented programming (ROP)

In this evasion tactic, bad actors take control of the call stack. This enables them to control the flow of trusted software already running so they can manipulate it for their own purposes. They inject functionality but do not alter the actual code. It delegates the execution of malicious code to other programs and not the malware program so it’s hidden from conventional detection. It allows the bad actor to exercise code within the presence of security defenses. 

Fileless malware

Fileless malware uses legitimate programs to infect a computer. As it doesn’t rely on files it leaves no footprint so it is challenging to detect and remove. It can evade all but the most sophisticated security solutions. It operates in memory, so it doesn’t touch the hard drive. Fileless attacks often use social engineering to get users to click on a link or attachment in a phishing email. They can make their way from one device to another to gain access to valuable data across an enterprise network. 

A rootkit

A rootkit is an application that hides malicious code in the lower OS layers. It can sometimes be a single piece of software, but more often, it’s made up of various tools that allow bad actors admin-level control over a device. The most common way to install a rootkit is through a social engineering attack. Victims will unknowingly download and install malware that hides within the other processes that run on their computers. This means the malicious actions are generally not detected. 

Detonating files on different operating systems

Bad actors will look for vulnerabilities in Microsoft Word or Excel files only found in a Mac environment. They know that dynamically scanning and detonating files on both Windows and Mac isn’t a feature of most security programs. The bad actors will take advantage of the macOS operating system vulnerabilities while the security program is scanning for WindowsOS threats. 


This technique involves hiding malicious code in images. This kind of payload is efficient because it is hidden in the extra-data portion of an image. Most users don’t believe that a simple image file can be dangerous, which is what can make this tactic really effective. The script can download harmful payloads and automatically run malicious programs. As the method disperses the executable code across the image file, much antivirus software battles to detect it. 


Some simple evasion techniques include using a web proxy to hide a source IP address or malicious traffic. But increasingly complex techniques are emerging every day. This means that too many threats can evade existing protection and land in the inboxes of users. The importance of digital security is becoming more evident every day. Organizations today need to take a multi-layered approach to security and use a multi-engine approach for analyzing suspicious files.