A new malware has surprised researchers with the use of a significant amount of evasion techniques to avoid sandboxes and resist analysis. It is suspected to be a malware-as-a-service offering, available for other criminals to distribute their own payloads.

An extra evasive malware

Minerva Labs researchers have named the malware Beep, after one of the evasion techniques that delay the execution via the Beep API function. Once this malware successfully penetrates a system, it performs several anti-debugging and anti-VM checks at each stage of execution. 
  • Several samples of this malware have been discovered in form of .dll, .gif, or .jpg files, with similar code. These samples are tagged as spreader and detect-debug-environment on VirusTotal.
  • The malware is delivered via email attachments, social media networks such as Discord, or via public file-hosting service OneDrive. 
  • After infection, this malware is capable of downloading a wide range of other malicious tools, including ransomware. 

A deeper insight

The Beep malware comprises three components: a dropper, an injector, and the main payload.
  • The dropper (big.dll) starts its work after several anti-debugging and anti-VM checks. It creates a new Windows Registry key for persistence. It adds a scheduled task that runs every 13 minutes and executes a PowerShell script stored in the registry.
  • The PowerShell script, after a re-verification for the debugging environment, extracts the payload and launches it by injecting it into a genuine Windows process using the process hollowing tactic.
  • Just before the payload delivery, another round of evasion checks takes place. Subsequently, the malware steals system information, creates an enumerated list of all the running processes, and sends it to the C&C server. It is further capable of executing additional shellcodes, for running any further payloads.

An evasion-heavy malware

Beep uses several evasion tactics, including anti-debugging and anti-VM (anti-sandbox) checks at every stage of the infection chain.
  • The malware drops several unused, invalid files, and stores the important data by padding it with huge chunks of garbage data to complicate its analysis. 
  • It often uses legitimate system processes to hide and performs default language checks, dynamic string deobfuscation, and assembly implementation of the debugger API function. 
  • Additional methods include NtGlobalFlag field anti-debugging, Stack Segment Register anti-debugging, CPUID check, and RDTSC instructions anti-debugging, among others.

Ending notes

The unique combination of multiple layers for anti-analysis checks and evasion tactics sets the Beep malware apart from all other malware. To date, it has shown very limited operations in the wild. Organizations and security experts must keep an eye on this malware to avoid any unpleasant surprises.
Cyware Publisher

Publisher

Cyware