How do Infostealers manage to bypass EDRs and XDRs?

Twilight Cyber

Posted on January 15, 2025

Evasive Infostealers

Endpoint Detection and Response systems (EDRs) promise to protect the endpoints of your IT systems against malware, ransomware, and other types of malicious code. As a result, companies of all sizes have rushed to add EDRs to their security efforts (as evidenced by the EDR industry’s growth rate).

However, even companies with EDRs still suffer from infostealer attacks. In the same period that EDRs have surged in popularity, not only has the number of malware attacks continued to rise year over year, but compromised credentials have become the leading initial attack vector. According to IBM’s “Cost of a Data Breach Report 2024,” using compromised credentials was top initial attack vector in breaches, with the longest time to detect of any vector at 291 days, and an average cost of $4.61 million dollars.

Which begs the question “how is this possible if more companies are adopting EDRs and XDRs?”

The short answer is that it’s a result of the way EDRs and XDRs work. Below, we break down why EDRs aren’t equipped to prevent 100% of infostealer attacks (by design) and why companies should also prepare for mitigation once an infostealer manages to infiltrate a company machine.

Why EDRs and XDRs Don’t Always  Prevent Unknown Malware & Infostealer Attacks

Most EDRs today work similar to your immune system when your body is infected with a virus. When they detect malicious behavior, they develop the software equivalent of antibodies (a response) in order to prevent the attack from causing further damage.

This works to stop a lot of the damage that regular malware and ransomware could inflict on your organization. But because EDRs need your systems to be infected and to have a lot of malicious damage done before they can stop an attack, this makes it hard for them to detect and prevent infostealer attacks entirely.

This is true no matter how sophisticated your EDR or XDR is. Even XDRs that use AI and other cutting edge technologies to detect malicious code still require an ongoing attack to commence before a response can be developed.

The Stealthy Nature of Infostealers

Evasive Malware

Infostealers present a unique challenge to EDRs and XDRs due to their highly stealthy nature. These malicious programs are designed to operate covertly, often deleting themselves from the victim’s computer after exfiltrating data to avoid detection. This self-deletion mechanism makes it extremely difficult for security solutions to identify and respond to the threat, as the evidence of the attack may be gone before it can be analyzed.

Advanced Evasion Techniques

Infostealers employ a variety of sophisticated evasion techniques to bypass detection and analysis. Here are some of the key evasion methods used by modern infostealers:

Code Obfuscation and Encryption

Infostealers often use code obfuscation and encryption to hide their true nature and evade signature-based detection:

  • Obfuscated Files: Malware authors use complex obfuscation techniques to make the code difficult to analyze and understand.
  • Encryption: Components or malicious code are encoded to hide their true intention, requiring a specific decryption key to decipher.

Sandbox Evasion

Many infostealers can detect when they are running in a sandbox environment and alter their behavior accordingly:

  • User Interaction Detection: Malware checks for signs of human interaction, like mouse movements, to determine if it’s in a real environment or an automated sandbox.
  • Timing-based Techniques: These include extended sleep calls, logic bombs scheduled for later execution, and stalling code that terminates just before infection
  • Focus Changes: It checks for window focus changes, which occur naturally during real usage but are often absent in automated environments.

Virtualization Detection: Many sandboxes run on virtual machines, so malware checks for artifacts of virtualization such as:

  • Specific virtual hardware identifiers (e.g., “VMware,” “VirtualBox,” or “Xen”).
  • Presence of hypervisor-related instructions or drivers.

System Resources: Malware assesses hardware resources that are often limited in virtual environments:

  • RAM: Low memory (e.g., under 4 GB) can signal a sandbox.
  • Storage Size: Small hard drives (e.g., 50 GB or less) are typical in sandboxes.

CPU Cores: A single or few cores may indicate a virtualized environment.

  • Trigonometry-based Evasion: Some malware, like Lumma Stealer, use trigonometric calculations to analyze mouse movements and determine if they’re running on a real machine or in an analysis environment.

Memory-based Techniques

Infostealers inject their malicious code directly into the memory of legitimate processes, enabling them to avoid detection by file-based scanning. This is also known as fileless execution.

Anti-analysis Techniques

  • Forensic Tool Detection: Advanced infostealers can detect the presence of security and forensic tools, allowing them to alter their behavior or remain dormant.

Living Off the Land

  • Use of Legitimate Tools: Infostealers often utilize legitimate system tools and processes to blend in with normal system operations.
  • BITS Jobs: Background Intelligent Transfer Service (BITS) is abused to stealthily download and execute malicious payloads.

Network-based Evasion

  • Fast Flux: This technique rapidly changes IP addresses and DNS names to evade detection and blocking.
  • C2 Communication Obfuscation: Infostealers may use legitimate services like Telegram for command and control, making it difficult to distinguish malicious traffic.

Polymorphism and Metamorphism

  • Constant Code Changes: Some infostealers use polymorphic or metamorphic techniques to constantly change their code structure, making it difficult for signature-based detection.

By employing these advanced evasion techniques, infostealers can often bypass traditional security measures, making them a persistent and challenging threat to detect and mitigate.

How Stop Infostealer Attacks Before They Can Do Damage

Monitoring the dark web

While it’s impossible to prevent every infostealer attack, organizations can effectively neutralize the threat before it causes harm. By swiftly identifying stolen credentials and the infected devices, mitigation measures can be implemented to render the attack harmless. Twilight Cyber’s innovative technology does this by detecting infected machines and compromised credentials within hours of the initial breach – stopping threats before any damage occurs.

How Twilight Cyber Minimizes Infostealer Damage

  1. Real-Time Monitoring and Threat Intelligence
    Twilight Cyber leverages advanced dark web monitoring tools to detect credentials compromised by infostealers as soon as they are exposed on the dark web, within hours of the initial leak. This swift detection enables organizations to take immediate action – identifying and cleaning machines infected by infostealers, resetting compromised credentials, and invalidating cookie sessions – before attackers can exploit the breach.
  2. Credential Compromise Mitigation
    Twilight Cyber integrates with identity management systems to flag and reset compromised credentials immediately. This prevents attackers from leveraging stolen credentials to perform account takeovers and gain unauthorized access to critical systems.

Why Twilight Cyber?

Twilight Cyber doesn’t just focus on detection – it is built to empower organizations to respond swiftly and decisively. By addressing compromised credentials and infected devices in near-real-time, it reduces the time attackers have to exploit your systems, ultimately saving you from costly and damaging breaches.

Recommended Blogs Section:

The Rise of Infostealers: Insights from 2024

CheckPoint’s 2025 Cyber Security Report reveals that infostealers have become one of the most dominant cyber threats. Once a niche tool, these programs now play a critical role in the...

See Blog

Telefonica’s Recent Breach: A Wake-Up Call for Infostealer Threat Intelligence

Spanish telecommunications giant Telefonica recently fell victim to a significant cybersecurity breach, showing that even large organizations can be vulnerable. The event highlights how important it is to maintain strong...

See Blog

How do Infostealers manage to bypass EDRs and XDRs?

Endpoint Detection and Response systems (EDRs) promise to protect the endpoints of your IT systems against malware, ransomware, and other types of malicious code. As a result, companies of all...

See Blog

The Lifecycle of Stolen Credentials on the Dark Web

Most cyberattacks start with stolen credentials. Read here to see how cybercriminals obtain, process, and exploit your login information in the underground economy.

See Blog

Understanding Infostealer Malware: a Cyber Threat Overview of infostealers

What is an Infostealer? An infostealer is a type of malicious software designed to covertly collect sensitive information from your device. It primarily targets login credentials, financial details, and other...

See Blog

Stay ahead of cyber threats!