A new malware researchers call "Beep" for its execution through the use of the Beep API function (yes, an actual "beep" sound) attracted some notice this week because of its clever use of evasion techniques.
In a Feb. 14 blog post, Minerva researchers said they discovered several new samples that were similar to each other and uploaded to VirusTotal (VT) in a form of .dll, .gif or .jpg files. The researchers said they were all tagged as “spreader” and “detect-debug-environment” by VT and caught their attention because they appeared to drop files, but those files could not be retrieved from VT.
So where did they go?
The researchers wrote that it seemed that the malware authors were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find. Here’s a quick overview of two such techniques cited in the Minerva research:
- Dynamic string deobfuscation: Widely used by threat actors to prevent important strings from being easily recovered. Mostly used for hiding imports, Beep copies hardcoded obfuscated hex bytes into the memory and then deobfuscates them with xor/sub/add/not assembly instructions.
- Default language check: Mostly used by authors from the former Soviet Union countries to evade infecting unwanted systems. Beep uses the GetUserDefaultLangID API function to retrieve the language identifier and check if it represents up to eight languages, including Russian, Ukrainian, or Belarusian.
Security researchers such as Andrew Barratt, vice president at Coalfire, said Beep has been one of the more interesting pieces of malware he’s seen of late because it’s an unusual combination of elegant analysis-evasion techniques and simultaneously leaves some really rookie indicators of its presence.
“Things like using scheduled tasks to persist are in the incident response 101 play book,” said Barratt. “Leaving really obvious file names ‘big.dll’ make this seem like this malware could well be a bait and switch in the future. Either that or that it was inadvertently released into the wild somewhat prematurely. This is one to watch. I’d expect that most endpoint tools pick this up as is right now — and then it might well evolve.”
Mike Parkin, senior technical engineer at Vulcan Cyber, said malware authors have been trying to improve their evasion techniques for years, and the case of Beep shows the length they are going to keep their malicious code hidden.
Parkin said these techniques take skill, practice, and access to all of the anti-malware tools their targets are using to detect them. He said we can expect to see this trend continue for the most sophisticated malware, and Parkin suspects we will see evidence that the malware authors use machine learning techniques to get past existing anti-malware products.
“Organizations are facing increased risks from more sophisticated threats,” said Parkin. “As malware gets more difficult to detect, there will need to be more focus on keeping it from landing in the first place. Users will have to be better trained and more aware, and there will need to be more development of tools that can stop suspicious payloads from reaching their target. We also need a better understanding of the situation so we can identify and isolate infected systems before the malware can do further damage if they do land.”
Christian Simko, vice president of product marketing at AppViewX, added that the way Beep has been built makes it difficult to detect and thus, it can get missed in the code reviews, ultimately putting legitimate software at risk. Simko said it’s more likely that attackers will use phishing and website spoofing to get individuals to execute the malware which could then prove arduous for security defenses to detect the malicious activity as well as detrimental to an organization’s security.
“In this case, cybersecurity education is still one of the best defenses,” said Simko. “Don’t open attachments that are executable files (.exe, .dll). Don’t click on untrusted links in emails. Don’t interact with websites that are not https protected (TLS/SSL certificates) — and even in this case always err on the side of caution based on the content.”
John Bambenek, principal threat hunter at Netenrich, said because of the amount of functionality that appears not implemented, and a C2 that’s already down, he wonders if this was really a malware author using VirusTotal to test their technique’s against security tools.
“A fundamental problem is that all our protective techniques are effectively public, therefore, the attackers have free reign to poke for weak spots,” Bambenek said.