Beep 4 was discovered last week, a brand-new stealthy virus with several capabilities to avoid analysis and detection by security tools. After a flurry of samples were posted to VirusTotal, an internet portal for file scanning and harmful content identification, Minerva analysts became aware of the infection.
Even though Beep is still under development and is lacking a few essential functionalities, it now enables threat actors to download and remotely execute additional payloads on infected devices. A dropper, an injector, and the payload are the three distinct parts of the information-stealing virus known as Beep.
The dropper makes a new different registry key with the value “AphroniaHaimavati” and a base64-encoded PowerShell script (“big.dll”). This PowerShell script is launched by a Windows scheduled task once every 13 minutes. Before launching, the script downloads data and stores it in an injector called AphroniaHaimavati.dll.
The injector is the component that uses a range of anti-debugging and anti-vm techniques to inject the payload into a legitimate system process without being detected by anti-virus software running on the host (“WWAHost.exe”).
The final attempt of the main payload is to collect data from the infected machine, encrypt it, and send it to the C2. While Minerva was conducting its study, the hardcoded C2 address was unavailable, yet the malware continued to attempt a connection even after 120 failed attempts.
Minerva Gathering Information From Compromised System
Despite the malware analysis’s restrictions, Minerva was nevertheless able to locate the following C2 command-triggered functions in the sample:
- balancer (not yet implemented)
- init (not yet implemented)
- screenshot: (a task that seems to collect the process list)
- task (hasn’t yet been implemented)
- destroy (not yet implemented)
- exe – (executes an.exe file)
- dll – (executes a dll file)
- shellcode – (executes further shellcode)
- Additional – (gathers more data)
- knock timeout – (modifications “Keep-alive” intervals for C&C)
Beep Evasion Techniques
The Beep malware stands remarkable because it employs a variety of strategies throughout its execution flow to avoid being found and examined by researchers and security tools.
- Dynamic string obfuscation:
Copies hex bytes into memory while masking crucial strings. Beep uses the xor/sub/add/not assembly instructions to deobfuscate them when necessary.
- System Language check:
If Beep detects Russian, Ukrainian, Belarusian, Tajik, Slovenian, Georgian, Kazakh, or Uzbek (Cyrillic) it will check the system language and depart.
- Assembly implementation:
Checks if a user-mode debugger is currently debugging the current process in the DebuggerPresent API method.
- Anti-debugging NtGlobalFlag field:
Check to see if the process was created with a debugger is debugging the current process.
- RDTSC instruction:
To find out if it runs in a virtual machine, count the number of CPU ticks since reset.
- Segment register:
Determine if the program is being traced using the stack
- CPUID anti-vm:
Obtain the Hypervisor Brand string and check to see if it contains any of the words “VMware”.
- VBOX registry key anti-vm
Check for the presence of VM-related registry keys
- Beep API function anti-sandbox:
Alternative to the “Sleep API function,” delays the malware’s execution (making it more noticeable) in order to avoid being detected by the sandbox.
As an example of malware with a strong emphasis on evasion, Beep created a number of anti-analysis measures before finalizing its feature set for command execution and data theft. Although Beep’s actions in the wild are now limited, it might be a future concern to be aware of.
Conclusion
A new elusive piece of malware known as Beep that is made to slip under detection and drop additional payloads onto a compromised host has been discovered by cybersecurity researchers. According to Natalie Zargarov, a researcher at Minerva Labs, “it seemed as though the creators of this malware were trying to install as many anti-debugging and anti-VM (anti-sandbox) tactics as they could find.” The malware got its name because one such method entailed using the Beep API function to postpone the execution. Beep comprises three parts, the first of which is a dropper that creates a new Windows Registry key and runs a PowerShell script contained in it. The PowerShell script retrieves an injector from a remote server and uses a method known as process hollowing to extract and execute the payload after making sure it isn’t being debugged or started in a virtual machine.
