A new stealthy malware named ‘Beep’ was discovered last week, featuring many features to evade analysis and detection by security software.
The malware was discovered by analysts at Minerva after a flurry of samples were uploaded to VirusTotal, an online platform for file scanning and malicious content detection.
Although Beep is still in development and missing several key features, it currently allows threat actors to download and execute further payloads on compromised devices remotely.
A new info-stealer in the making
Beep is an information stealer malware that uses three separate components: a dropper, an injector, and the payload.The dropper (“big.dll”) creates a new registry key with an ‘AphroniaHaimavati’ value that contains a base64 encoded PowerShell script. This PowerShell script is launched every 13 minutes using a Windows scheduled task.
When the script is executed, it will download data and save it to an injector named AphroniaHaimavati.dll, which is then launched.
The injector is the component that uses a range of anti-debugging and anti-vm techniques to inject the payload into a legitimate system process (“WWAHost.exe”) via process hollowing to evade detection from anti-virus tools running on the host.
Finally, the primary payload attempts to collect data from the compromised machine, encrypt it, and send it to the C2. During Minerva’s analysis, the hardcoded C2 address was offline, but the malware attempted connections even after 120 failed tries.
Despite the limitations in the analysis of the malware, Minerva was still able to identify the following functions in the sample, which are triggered by C2 commands:
What makes the Beep malware stand out is its use of multiple techniques throughout its execution flow to evade detection and analysis by security software and researchers.
These evasion techniques are summarized below:
Dynamic string deobfuscation – Conceals important strings and copies hex bytes into memory. Beep deobfuscates them when needed using xor/sub/add/not assembly instructions.
System Language check – Beep will check the default system language and exit if Russian, Ukrainian, Belarusian, Tajik, Slovenian, Georgian, Kazakh, and Uzbek (Cyrillic) are detected.
Assembly implementation of the IsDebuggerPresent API function – Checks whether a user-mode debugger is debugging the current process.
NtGlobalFlag field anti-debugging – Determine if a debugger created the process.
RDTSC instruction – Determine the CPU ticks since reset to determine if it runs in a VM.
Stack Segment Register – Detect if the program is being traced.
CPUID anti-vm – Obtain the Hypervisor Brand string and checks if it contains a part of the word ‘VMware.’
VBOX registry key anti-vm – Check for the existence of VM-related registry keys.
Beep API function anti-sandbox – Alternate to ‘Sleep API function,’ it generates a beep tone on the speaker while delaying the malware execution (alertable wait) to evade sandbox detection.
In addition to the above, the injector component also implements the following evasion techniques:
IsDebuggerPresent() API anti-debugging – Determine whether a user-mode debugger is debugging the current process.
ProcessDebugPort anti-debugging – Determine the port number of the debugger for the process.
VirtualAlloc() / GetWriteWatch() anti-debugging – Track pages written in memory to detect debuggers and hooks.
OutputDebugString() anti-debugging – Debugger detection technique relying on a call return result.
QueryPerformanceCounter() and GetTickCount64() anti-debugging – Measure the delay between instructions and execution to determine if a debugger runs on the system.
Beep is an example of malware that heavily focuses on evasion, having implemented multiple anti-analysis mechanisms before finalizing the full feature set for data theft and the execution of commands.
Although its operations in the wild remain limited for the time being, Beep may be an upcoming threat to watch out for.