The WildFire cloud now analyzes secondary
payloads (samples) of multi-stage PE, APK, and ELF malware packages.
Analyzing the original sample submission alone does not provide
complete coverage, as advanced threats typically use multiple samples
during attacks; instead, analyzing secondary payloads can provide
additional leverage to disrupt these sophisticated attacks by maximizing
detection and coverage. These advanced threats operate by executing
code which activate additional malicious payloads with various objectives,
including those designed to assist in the circumvention of security
measures as well as facilitate proliferation of the primary payload.
WildFire analyzes the multi-stage threats by processing them in
static, dynamic, or bare metal analysis environments. Files found
in the multi-stage malware attack are treated independently during
analysis; as a result, verdicts and protections are delivered as
soon as they finish for each stage of the attack. The overall verdict
for the original submission is determined based on a threat assessment
of malicious content found in all analyzed stages of the attack.
The following example shows a malicious PE file
that contains two intermediate stages, both with two pairs of PE
files. When WildFire analyzes each stage, protections are generated
and distributed to products and services that integrate with WildFire.