Introduction

Malware comes in various kinds. A typical malware consists of two parts, a dropper and a payload. They would do the following:

1. A dropper gets deployed/installed on a target system during initial access like phishing, compromised accounts etc.

2. The dropper would also establish a communication channel with the adversary (attacker) for further instructions

3. The dropper would have a payload hidden in it (or received by the attacker in some cases) which gets executed by the dropper to perform some set of tasks like privilege escalation, lateral movement, exfiltration etc. depending on what they were programmed to do.

Malware developers use plenty of techniques to hide their precious payloads. The dropper without a payload is mostly benign which is why its precious. Its, the payload that performs most of the nefarious tasks. Hence, malware authors go through a lot of trouble to hide their payload from being detected by EDRs, AVs, threat hunters etc. Some of the common techniques used are obfuscating and encrypting the payload and deobfuscation/decrypting just-in-time when the payload has to be executed. This means the deobfucation logic or decryption secrets are also normally inside the dropper itself. There is a serious drawback though. Obfuscating/encrypting increases the entropy of the malware binary significantly. This increase in entropy becomes a red flag in the prying eyes of EDRs/AVs. That means, even if the EDR/AV cannot read the encrypted/obfucated payload, the binary gets flagged for further inspection because of its high entropy. However, malware authors do attempt to use variety of techniques to reduce the entropy as well. But there is no guarantee and the entropy may not go down significantly down as well.

Malware detections have evolved overtime and today's machine learning (AI) based detection tools like EDRs are extremely powerful in detecting malicious activities because they are not based on static rules but they are trained to detect malicous behaviors when a piece of code run. In fact, evading AI based EDRs are rare and malware authors are actively researching ways to bypass them.