It’s time to worry about ‘just-in-time’ malware – report

A new report from Invincea looks at the rise of "just-in-time" malware, which assembles itself once it bypasses computer security systems.

There has been a rapid rise in a kind of malware that assembles on endpoints piece-by-piece in order to evade network security controls, according to a new report.

Virginia-based cybersecurity firm Invincea chronicled the rise in “just-in-time” malware in its 1H 2015 Advanced Endpoint Threat Report, released Wednesday, detailing how the threats sneak past security systems and assemble themselves on computers. The exploits, passed on by commonly used tactics like malvertising, have breached organizations ranging from Fortune 500 companies and popular media sites to the White House.

“Our latest research shows the relentless innovation of threat actors’ techniques that in turn highlights the inadequacy of most organizations’ network defenses,” Invincea founder and CEO Anup Ghosh said in a release. “This is consistently leading to intellectual property loss, costly remediation, loss of employee productivity, and reputational harm.”

A diagram explaining how 'just-in-time' malware works. (Invincea)

A diagram explaining how ‘just-in-time’ malware works. (Invincea)


Once exploits are in an enterprise’s network, they evade security because there is no single malicious payload to be captured by a network monitoring system. The code then fools endpoint security systems by using local Windows systems utilities to stitch together snippets, most of which would never be blocked by security tools.

These exploits sneak in via two common outlets: spear phishing emails that often contain media or Microsoft Office documents laced with malicious code, or malvertising campaigns served up through third-party ad networks. The exploits range in functions from botnet protocols to banking Trojans to ransomware.

“Adversaries do not burn zero-day exploits when a simpler approach – spear-phishing with malicious attachments using known exploits – is just as effective,” the report states.

Those deployment tactics were the same ones used in two of the more high-profile data breaches of the past year: the hacks on health insurance provider Anthem and the White House’s unclassified networks. While the report concludes that different groups were responsible for each attack (Deep Panda for Anthem, CozyDuke for the White House), even the most sophisticated threat groups have been constantly resorting to simple attack methods.

Invincea goes on to say that enterprises need to combine prevention with detection if they are to stop the onslaught of security threats. Even with personnel at high levels of government and private companies going through comprehensive training, it’s not enough to stave off exploits that are virtually undetectable once a user unknowingly guides them into the network.


“The failure of training initiatives to prevent these breaches is not new or surprising,” the report reads. “Relying on users to make the right decision about every click is a failing strategy. Teaching users about online risk is useful, but relying on them to make the right decision 100 percent of the time is unrealistic.”

Read the full report on Invincea’s website.

Greg Otto

Written by Greg Otto

Greg Otto is Editor-in-Chief of CyberScoop, overseeing all editorial content for the website. Greg has led cybersecurity coverage that has won various awards, including accolades from the Society of Professional Journalists and the American Society of Business Publication Editors. Prior to joining Scoop News Group, Greg worked for the Washington Business Journal, U.S. News & World Report and WTOP Radio. He has a degree in broadcast journalism from Temple University.

Latest Podcasts