Super Evasive Beep Malware Stuns Researchers

An extra evasive malware

• Several samples of this malware have been discovered in form of .dll, .gif, or .jpg files, with similar code. These samples are tagged as spreader and detect-debug-environment on VirusTotal.
• The malware is delivered via email attachments, social media networks such as Discord, or via public file-hosting service OneDrive. 
• After infection, this malware is capable of downloading a wide range of other malicious tools, including ransomware. 

A deeper insight

• The dropper (big.dll) starts its work after several anti-debugging and anti-VM checks. It creates a new Windows Registry key for persistence. It adds a scheduled task that runs every 13 minutes and executes a PowerShell script stored in the registry.
• The PowerShell script, after a re-verification for the debugging environment, extracts the payload and launches it by injecting it into a genuine Windows process using the process hollowing tactic.
• Just before the payload delivery, another round of evasion checks takes place. Subsequently, the malware steals system information, creates an enumerated list of all the running processes, and sends it to the C&C server. It is further capable of executing additional shellcodes, for running any further payloads.

An evasion-heavy malware

• The malware drops several unused, invalid files, and stores the important data by padding it with huge chunks of garbage data to complicate its analysis. 
• It often uses legitimate system processes to hide and performs default language checks, dynamic string deobfuscation, and assembly implementation of the debugger API function. 
• Additional methods include NtGlobalFlag field anti-debugging, Stack Segment Register anti-debugging, CPUID check, and RDTSC instructions anti-debugging, among others.

Ending notes