Close Menu
Subscribe
Global Security

Flying under the radar – security evasion techniques

AdminBy No Comments8 Mins Read
Security Evasion Techniques


Security evasion methods

Immerse yourself in the evolution of phishing and malware evasion techniques and understand how attackers are using increasingly sophisticated techniques to bypass security measures.

The evolution of phishing attacks

“I really like the saying ‘it’s out of bounds’ no hacker ever said. Whether it’s tricks, techniques or technology, hackers will do anything to avoid detection and ensure their attack is successful.” says Etai Maor, chief security strategist at Cato Networks and member Cato CTRL. Phishing attacks have changed a lot over the years. 15-20 years ago, simple phishing sites were enough to capture the valuable of the time – credit card data. Today, attacks and defense methods have become much more sophisticated, which we will talk about below.

“This is also the time when the attack-defense cat-and-mouse game began,” says Tal Darson, security manager and Cato CTRL member. At the time, the primary defense technique against credit card phishing sites was to flood them with large amounts of numbers in the hopes of overwhelming them so they couldn’t identify the real credit card details.

But threat actors have adapted by validating data using methods such as Luna’s algorithm to verify valid credit cards, verifying issuer information using bank identification numbers (BINs) and performing micro-donations to verify that a card has been active.

Here’s an example of how attackers verified credit card numbers entered on phishing sites:

Methods of dealing with researchers

As phishing has evolved, attackers have added anti-exploration techniques to prevent security analysts from studying and stopping their activities. Common strategies included blocking IP addresses after one-time access to give the false appearance that the phishing site had been shut down, and identifying proxy servers, as investigators often use proxies during investigations.

The attacker’s code for one-time access to an IP address:

Attacker code to identify the proxy:

Attackers have also randomized the folder structures in their URLs over the past decades, discouraging researchers from tracking phishing sites based on common directory names used in phishing kits. This can be seen in the image below:

Avoiding antivirus

Another way to avoid security measures in the past was through modification malware signatures with encryption services. This made it undetectable by signature-based antivirus systems. Here is an example of such a service that was once very popular:

Avoid device verification

Let’s move on to other modern methods of evasion. The first is a phishing attack that targets victims by collecting detailed device information, such as Windows version, IP address, and antivirus software, so that attackers can better impersonate the victim’s device.

This data helps them bypass security checks, such as device ID verification, that organizations like banks use to confirm legitimate logins. By replicating the victim’s device environment (eg Windows version, media player details, hardware specifications), attackers can avoid suspicion when logging in from different locations or devices.

Some dark web services even provide pre-configured virtual machines that mirror the profile of the victim’s device (see image below), adding an extra layer of anonymity for attackers and providing more secure access to compromised accounts. It demonstrates how data science and customization have become an integral part of criminal operations.

Avoiding detection of anomalies

Another case is when defenders encountered a gang using malware to exploit live banking sessions, waiting for victims to log in before quickly executing unauthorized transactions. The problem was that these actions appeared to occur from the victim’s own authenticated session, making detection difficult.

This led to a cat-and-mouse game between forwards and defenders:

  1. Defenders initially introduced speed checks, flagging transactions completed too quickly as likely fraudulent.
  2. In response, the attackers modified their code to mimic the speed of human typing by adding delays between keystrokes. This can be seen in the code below:
  3. As defenders adapted to this by adding random timing checks, attackers countered with variable delays that further merged with legitimate behavior.

This illustrates the difficulty of detecting sophisticated automated bank fraud among legitimate transactions.

Evasive phishing attacks

Now let’s move on to the latest attacks. One of the more prominent attacks analyzed by Cato CTRL involved a clever phishing attack designed to impersonate Microsoft support. The incident began with a 403 error message that directed the user to a page called “Microsoft Support,” complete with prompts to “get the help and support you need.” The page presented support options for Home or Business, but regardless of which option was selected, it redirected the user to a compelling Office 365 login page.

This fake login page was created as part of a social engineering scheme to trick users into entering their Microsoft credentials. The attack used psychological triggers, such as impersonating error messages and help desk prompts, to build credibility and exploit user trust in the Microsoft brand. This was a sophisticated phishing attempt that focused on social engineering rather than purely advanced evasion techniques.

Fraudulent redirect chain

In this follow-up analysis, Cato CTRL investigated a phishing attack that used sophisticated redirection techniques to avoid detection. The process began with a fraudulent initial link disguised as a popular search engine in China, which redirected through several URLs (using HTTP status codes such as 402 and 301) before eventually landing on a phishing page, hosted on the Internet Decentralized Link (IPFS). This multi-step redirection sequence complicates tracking and logging, making it harder for cybersecurity researchers to trace the true origin of the phishing page.

During the investigation, the Cato CTRL researcher discovered several evasion methods built into the phishing site’s code. For example, the phishing page included Base64-encoded JavaScript that blocked keyboard interaction, effectively disabling the researcher’s ability to access or directly analyze the code. Additional obfuscation tactics included breakpoints in developer tools that forced redirects to a legitimate Microsoft homepage to prevent further inspection.

By disabling these breakpoints in Chrome’s developer tools, the researcher eventually bypassed these barriers, allowing full access to the phishing site’s source code. This tactic highlights the sophisticated, multi-layered defenses that attackers use to thwart analysis and delay detection using anti-sandboxing, JavaScript obfuscation, and redirect chains.

Resource-based phishing detection

Attackers are constantly adapting their defenses to avoid detection. Researchers relied on static elements such as image resources and icons to identify phishing pages. For example, phishing sites targeting Microsoft 365 often replicate official logos and icons without changing names or metadata, making them easier to detect. Initially, this sequence provided defenders with a reliable method of detection.

However, threat actors have adapted by randomizing almost every element of their phishing pages.

To avoid detection, attackers now:

  1. Randomize resource names – Image and icon file names, which were previously static, are heavily randomized on each page load.
  2. Randomize page titles and URLs – Headers, subdomains and URLs are constantly changing, creating new random strings every time the page is accessed, making it more difficult to track.
  3. Implementation of Cloudflare tasks – They use these calls to ensure that a human (not an automated scanner) accesses the page, making automated detection by security tools more difficult.

Despite​​​​these techniques, defenders have found new ways to circumvent these evasions, although it is a constant game of adaptation between attackers and researchers.

The master class reveals many other malware and phishing attacks and how they evade traditional measures, including:

  1. Payload distribution malware.
  2. HTML files in phishing emails to initiate multi-stage malware downloads using password-protected zip files.
  3. File smuggling and magical byte manipulation.
  4. SVG smuggling and B64 encoding.
  5. Using trusted cloud applications (eg Trello, Google Drive) for management and control to avoid detection by standard security systems.
  6. Operational injections inside malware to mislead AI-based malware analysis tools.
  7. Repurposing TDSS Killer rootkit removal tool to disable EDR services, specifically for Microsoft Defender.
  8. Telegram bots as a means of obtaining stolen credentials that allow attackers to quickly create new drop zones as needed.
  9. Generative artificial intelligence used by attackers to optimize the creation and propagation of attacks.
  10. Network threat detection without endpoint agents.

What’s next for Defenders?

How can defenders gain an advantage in this constant game of cat and mouse? Here are some strategies:

  1. Phishing training and security awareness -​​​​​​​​​​​​​​​​​​While informational training is not foolproof, it increases the likelihood of recognizing and eliminating cyberthreats.
  2. Credential monitoring – Using tools that analyze connection patterns, you can proactively block potentially malicious activities.
  3. Machine learning and threat detection – Advanced tools to identify sophisticated threats.
  4. A single threat hunting platform – A single converged platform (rather than multiple point solutions) for advanced threat detection. This includes network-based threat detection without endpoint agents and using network traffic analysis to detect IoC.
  5. Reducing the attack surface – Proactively reduce attack surfaces by auditing firewalls, adjusting configurations, and regularly reviewing security settings. Eliminating misconfigurations and following vendor recommendations can help protect your organization from emerging threats.
  6. Avoiding platform bloat – Multiple attack points along the threat destruction chain are critical, “but that doesn’t mean adding a lot of point solutions,” emphasizes Maor. “A converged platform with one interface that can actually look at everything: the network, the data through a one-pass engine that goes through every packet and understands whether it’s malicious or not.”

Watch the entire workshop here.

Did you find this article interesting? This article is from one of our respected partners. Follow us Twitter and LinkedIn to read more exclusive content we publish.





Source link

Share.

Related Posts

Add A Comment
Leave A Reply