ATP TEST: concealed attacks of ransomware and info stealers
Cyber attackers are constantly tweaking new attack techniques, honing existing ones or combining them into an attack wave. In the latest Advanced Threat Protection test (ATP), the experts from AV-TEST examined how well protection products detect and fend off the newly developed attacks. In the test lab, 6 products for consumer users and 8 solutions for corporate users demonstrated how well they can parry attacks. In the test, attackers with ransomware and info stealers harnessed the techniques of dynamic API resolution, DLL sideloading, PowerShell ScriptBlockAst command concealment, cloaking themselves in known Windows tools. The test indicates that some protection products are hard put to deal with the attack techniques and cannot always withstand the attacks.
In the Advanced Threat Protection tests (ATP), it's not strictly about detection of an attacker. Rather, the object of the evaluation is to determine whether a security product can combine its existing protection components in such a way that it can even detect and fend off concealed attacks. The current evaluation involved 6 security packages for consumer users and 8 security solutions for corporate users. The test took place from July to August 2024 under Windows 10.
The line-up of products for consumer users in the Advanced Threat Protection test included Avast, AVG, F-Secure, McAfee, Microsoft and NPAV. Among the solutions for corporate users climbing into the ring were the products from Avast, Check Point, Kaspersky (with 2 versions), Microworld, Qualys, Trellix and WithSecure.
In the ATP test, 5 samples each of ransomware and 5 samples of info stealers launch attacks in 10 realistic attack scenarios. The attackers deploy special techniques, individually or even in combination with each other. In a few paragraphs below, we'll explain the technical background.
The result of the test shows that not every security software is successful in facing off against the attackers. The test also shows, however, that there are products, faced with the most insidious scenario conceivable, that can act clearly and decisively, thus fending off any attacker.
Attack techniques used by malware
Cyber gangsters are constantly working on new techniques to plant their destructive malware on user's systems. The lab knows these techniques and unleashes malware according to the same attack patterns as observed daily in the IT world. The techniques are deployed either individually or in combination. Here is the technical background:
Dynamic API resolution: Attackers can have API functions that Windows provides for every application called up from their malware. Their use, however, is obfuscated and dynamically resolved, in order to conceal malware functions. This makes defensive analysis more difficult for security products. In order to obfuscate API calls even further, malware frequently uses hashes for resolving API functions or deploys encryption of strings that have to be decrypted during execution. In the recent test, all the file handling operations mainly go through the internal system Windows API (ntdll.dll) and resolve functions at runtime. This conceals the attack and makes detection more difficult.
DLL sideloading: Here, attacks capitalize on typical programming errors in standard software. A malicious DLL is copied into the application directory. The application does not notice it, and loads the DLL. The process then carries out the attackers' specified commands and, in doing so, it appears normal and harmless. In the test, an executable file from GoToMeeting (g2mupload.exe) and the Windows tool RunOnce (runonce.exe) are used to load the malware DLL via sideloading.
PowerShell ScriptBlockAst command concealment: For programmers, ScriptBlockAst is a sort of road map for a PowerShell script. Attackers ensure that dynamically generated attack code is not revealed in the map. This means that defensive programs cannot analyze the code and thus have greater difficulty detecting it. In the recent evaluation, a link file executes a PowerShell code, deploying ScriptBlockAst, in order to conceal its intentions. Because in the next step, a malware activity is carried out.
Renaming of tools: Malware renames Windows system tools to avoid detection by security software. Because certain file names or processes are monitored by the security software. Using this method, malware can even utilize the whitelisting of applications and conceal itself among legitimate processes. In the test, the Windows tools Curl and RunOnce are copied, renamed and used for the download and the sideloading of a malware sample.
The lab performs all 10 realistic attacks on Windows test PCs, each with an installed security solution. In doing so, all the steps during the detection and defense of each attack scenario are noted and later described according to the MITRE ATT&CK standard. Whereas there are three key steps to recognize for ransomware, with info stealers there are four actions. The lab awards a half or full point for each action that is fended off. This means that a product is able to earn 3 points five times for each detected and thwarted ransomware sample, and 4 points five times for the info stealers. Thus, the highest value a product is able to achieve in the protection score is 35 points.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
Here’s how consumer user products performed in the ATP test
Among the 6 security packages for consumer users examined, 3 products passed the test completely error-free in all 10 scenarios and thus received the full 35 points for their protection score: F-Secure Total, McAfee Total Protection and Microsoft Defender Antivirus (Consumer).
While the product from NPAV detected the attackers in all 10 scenarios, in 4 cases – two with ransomware and two with info stealers – it was initially unable to stop attack. Only through the use of additional protection modules was it possible to thwart the attack. However, the executable files of the attacker remained on the system in the aftermath of the attack. For these errors, the lab deducted half a point a total of 8 times, leaving NPAV with only 31 out of 35 possible points when it comes to the protection score.
The products from Avast and AVG struggled with the same problems in the test: They each did not detect one ransomware sample and one info stealer. Afterwards, the data was encrypted or exfiltrated and thus stolen. As a result, each product lost 7 points – 3 points in one instance and 4 points in another – for the protection score, leaving 28 out of 35 points in the end.
In order for a protection package to receive from AV-TEST the “Advanced Certified” certificate in the test, it was required to achieve at least 75 percent (26.5 points) of the maximum 35 points of the protection score. All 6 consumer user products in the test were successful at this.
Here’s how corporate user products performed in the ATP test
8 solutions for corporate users also took part in the advanced ATP test. A total of 5 products achieved the maximum 35 points for their protection score, thanks to their error-free protection performance: Kaspersky's Endpoint Security and Small Office Security, Microworld eScan Enterprise EDR, Trellix Endpoint Security and WithSecure Elements Endpoint Protection.
While Check Point's protection solution detected the attackers in all 10 scenarios, in 2 cases with ransomware, the product was not able to completely prevent the attack. In further defensive steps, the solution then held up large-scale encryption, but individual files were ultimately encrypted. This cost the product a total of 2 points in the evaluation, and it ended up with 33 out of 35 points.
The Qualys solution for the endpoint identified only 9 out of 10 attacks, allowing an info stealer to steal all the data, causing the product to lose all 4 points in this case. Added to this was another ransomware attack that was detected but not completely stopped. In the end, individual files were encrypted and an additional 1.5 points were lost. The Qualys protection score was therefore still 29.5 out of 35 points.
Avast's business solution reacted to only 8 out of 10 attacks in the test. A ransomware and an info stealer each wreaked havoc in the system, stealing or encrypting data. The product therefore lost a total of 7 points for its protection score and ended up with 28 points at the bottom of the table.
In order for a product to receive from AV-TEST the “Advanced Approved Endpoint Protection” certificate in the ATP test, it was required to achieve at least 75 percent (that is 26.5 points) of the maximum 35 points of the protection score. All the products tested exceeded this value.
Realistic scenarios and good defense
Cyber attackers try to penetrate users' systems in every conceivable way. The techniques deployed are not easy to detect for some protection products. This means that some attacks cannot be prevented. However, the current test also shows that there are products that can handle any attack and make attackers come up empty-handed. In terms of protection packages for private users, these are the products from F-Secure, McAfee and Microsoft. Among the solutions for corporate users, the products from Kaspersky (with 2 versions), Microworld, Trellix and WithSecure demonstrate perfect resistance.
All other products evaluated cannot be satisfied with their results and need to further refine their detection and ability to take countermeasures. The ATP tests provide vital insights in this respect and also assist the manufacturers towards product improvement.