A new malware named Beep appears to be still in development, but currently has features for delivering additional malware to infected computers. Discovered by Minerva, it comes with three parts: a dropper, an injector, and the payload.
A new registry key with the value “AphroniaHaimavati” that includes a base64-encoded PowerShell script is created by the dropper (“big.dll”). Every 13 minutes thereafter, this PowerShell script is executed via scheduled task. The script will download an additional component and save it in an injector called AphroniaHaimavati.dll before launching it. In order to avoid being discovered by anti-virus software operating on the host, the injector is the component that employs a variety of anti-debugging and anti-vm tactics to inject the .dll into a legitimate system process (“WWAHost.exe”). The main payload’s final task is to gather information from the compromised system, encrypt it, and deliver it to the C2. The hardcoded C2 address was inactive during Minerva’s research, but the malware still tried to connect even after 120 failed attempts. Beep’s features are only partially implemented as of yet, and include:
- balancer – not implemented yet
- init – not implemented yet
- screenshot – appears to collect the process list
- task – not implemented yet
- destroy – not implemented yet
- shellcode – executes additional shellcode
- dll – executes a dll file
- exe – executes an .exe file
- additional – collects additional info
- knock_timeout – changes C&C “keep-alive” intervals
In order to evade detection, Beep employs many evasion tactics including:
- Dynamic string deobfuscation
- System Language check
- IsDebuggerPresent API function
- NtGlobalFlag field anti-debugging
- RDTSC instruction
- Stack Segment Register
- CPUID anti-vm
- VBOX registry key anti-vm
- Beep API function anti-sandbox
- INT 3 anti-debugging
- INT 2D anti-debugging
- CheckRemoteDebuggerPresent API anti-debugging
- ProcessDebugPort anti-debugging
- VirtualAlloc / GetWriteWatch API anti-debugging
- OutputDebugString API anti-debugging – Debugger detection technique relying on a call return result.
- QueryPerformanceCounter / GetTickCount64 API anti-debugging
Analyst Notes
Although Beep’s functionality is currently limited, it’s clear that the developers have high ambitions for a variety of functionality. While the evasion tactics used in Beep are plentiful, they generally center around avoiding anti-virus, and being difficult to reverse engineer. Behavioral analysis can still provide great value in detecting threats such as this. It’s important to have a defense-in-depth program which includes proactive threat hunting of post compromise activities in order to combat emerging threats such as Bleep. Binary Defense’s MDR and Managed Threat Hunting services are excellent solutions to assist with such needs.
https://minerva-labs.com/blog/beepin-out-of-the-sandbox-analyzing-a-new-extremely-evasive-malware/
