There are several modules within the Minerva toolset including Hostile Environment Simulation, Memory Injection Prevention, Malicious Document Prevention and Ransomware Protection. Two more, Endpoint Vaccination and Critical Application Protection are being worked on and should deploy over the next several months. All of them work together to trick malware about the environment that it’s running within.
Almost all environmentally aware malware knows to look for key indicators to prove that its running inside a sandbox. Minerva feeds it those prompts, convincing it that it has been placed inside a sandbox, thereby signaling it to hide and sleep, or to outright destroy itself. Those types of deceptive commands fed to the malware from Minerva don’t disrupt legitimate programs, which never look for those indicators. Each time that the Minerva Platform successfully interacts with a program, thereby spotlighting it as malware, an alert is sent to the main console, or to an SIEM if the host organization is so equipped.
For example, malware trying to inject code into memory will make an API call to memory. Minerva will intercept that call and can return a bogus response, either access denied or no such asset exists. The malware is blocked at that point from activating, but it also signals environmentally-aware programs that they are running in a sandbox or test environment. That’s not true, but if the malware believes it, it will go into sleep mode or possibly destroy itself.
To test out the software, we equipped an endpoint as a virtual machine (VM) with McAfee Total Protection antivirus and gave it all the latest upgrades and updates. We then threw several new types of malware at it to see if it could get around that protection. We then wiped the machine and set it up again, with both McAfee and the Minerva Anti-Evasion Platform agent installed.
The first type of attack used macros embedded inside a Microsoft Word document. It was designed to secretly open a version of Explorer from the Word file, which could then be used to download malicious payloads. This is a common type of attack these days, and if done correctly, can get around many antivirus programs. When we ran the file, and told it to enable macros, nothing unusual seemed to happen. But looking at memory usage with a special tool called Process Hacker, it was clear that there was a second instance of Explorer running inside of Word, something that should never happen. Had it been a real attack, that endpoint would have been compromised despite its antivirus program.
If you look at the bottom of the running processes, you will see an instance of Explorer running within Word in addition to the actual Explorer process. The malware launched despite having traditional antivirus in place. Credit: John Breeden II
Sign up for CIO Asia eNewsletters.