Cybercriminals periodically develop something new. Sometimes it is an updated version of already known malware, and sometimes it is something new and not obvious, such as Beep malware. Thus, this malware has one distinguishing feature: a new tactic of evading detection. Although Beep malware is still under development, it already boasts existing functionality that avoids being analyzed and detected by security software.
What kind of malware is Beep?
Not so long ago, Minerva cybersecurity researchers discovered a very interesting malware with an equally exciting name, “Beep”. Beep Malware is a new stealth virus with several features designed to steal sensitive information and create a chain of infections. The latter involves downloading/installing additional malware or components. Consequently, it can infect devices with Trojans, ransomware, cryptocurrency miners, or other malware.
There is speculation that Beep is delivered via a spam email attachment, Discord, or OneDrive URL. It is also mentioned to be a “malware-as-a-service” i.e. it offers other criminals to spread their payloads within the botnet infected by the Beep . It consists of three components: a dropper, an injector, and a payload.
Dropper
The dropper starts its work after some anti-debugging and anti-VM checks. Then it creates a new registry section with the value “AphroniaHaimavati” and a base64-encoded PowerShell script. It then adds a scheduled task every 13 minutes and executes the PowerShell script stored in the registry. Before running, the script loads the data and stores it in an injector called AphroniaHaimavati.dll.
Injector
The injector is a component that uses several debugging and virtual machine protection techniques to inject a payload into a legitimate system process, for example, “WWAHost.exe”. This is achieved by cleaning the process and is done to avoid detection by antivirus tools.
Payload
The primary payload tries to collect the needed data from the compromised machine. It then encrypts them and tries to send them to C2, which has been hard-coded. Although C2’s hard-coded address was disabled during the analysis, the malware tried connecting even after 120 failed attempts.
Despite the limitations of malware analysis, experts were still able to detect the following functions in the sample, which are triggered by C2 commands:
- dll (executes a dll file)
- exe (runs an.exe file)
- shellcode (executes further shellcode)
- screenshot (a task that seems to collect the process list)
- additional (gathers more data)
- knock timeout (modifies “Keep-alive” intervals for C&C)
Moreover, it has at least four functions that were not used during the test: destroy, init, task, and balancer. This, however, does not make it less dangerous.
Evading detection methods
Let’s look at what the Beep malware highlights: the detection evasion techniques it uses throughout the execution process. Once analysts dug deeper into this sample, they noticed the use of many evasion techniques. This gave the impression that the authors of the Beep malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as possible. For example, one method was to delay execution using the Beep API, hence the malware’s name.
Anti-analysis features in Beep malware:
- Beep API function anti-sandbox. It’s the same function after which the malware is named. An alternative to the Sleep API function, which generates a beep on the PC speaker, delaying malware execution (warning wait) to avoid sandbox detection.
- Dynamic string deobfuscation. This method means the code strings are kept obfuscated for the whole time, and the confusion layer is removed only for those strings that are going to be used at the moment. Deobfuscation is done using xor/sub/add/not assembly functions.
- System Language check. A pretty typical IP location checkup that is often met in malware developed in ex-USSR countries, particularly Russia and Ukraine. It is performed to avoid infecting machines from these locations – such distorted ethics. If either Russian, Ukrainian, Belarusian, Tajik, Slovenian, Georgian, Kazakh, or Uzbek (Cyrillic alphabet) are detected in the system, Beep will cease any further execution.
- NtGlobalFlag field checkup for anti-debugging. In this case, malware seeks for the offset of NtGlobalFlag. If it matches with the one that is typical for the system with a debugger enabled – the Beep ceases execution.
- Own implementation of IsDebuggerPresent API function. Beep malware developers implemented the ASM variant of the C++ call, which checks if the process that calls for this function is debugged by a user-mode debugger.
- Stack Segment Register checkup. The fact that the Beep is written in Assembly allows it to communicate directly with the processor. It uses information from the stack segment register of the CPU to see if there are any calls typically used for debug purposes.
- Read Time Stamp Counter (RDTSC) instruction check. Malware checks the number of CPU ticks since the last reset to determine if it runs on a virtual machine. Machines with freshly-installed OS may be the source of false positives though.
- CPUID anti-vm. Using CPUID function, malware А obtains the Hypervisor Brand string, which contains information about virtualization software vendors. Names like VMWare, Oracle, Parallels, Citrix or others will trigger self-destruction procedures.
- VBOX registry key anti-vm. It’s one of the least complicated checks that aims at displaying if there are any VM-specific registry keys present in the system. Detecting the one causes malware to self-destruct.
The injector component implements the following evasion methods:
- INT 3 and INT 2D anti-debugging. Generates an exception that will make the debuggers stop working. The former literally sets a breakpoint in the debugger execution; INT 2D instruction allows the malware to change execution flow when it detects a debugger presence.
- CheckRemoteDebuggerPresent() API anti-debugging. Is a kernel32.dll function that sets (-1)0xffffffffff in the DebuggerPresent parameter if a debugger is present. Internally it also uses NtQueryInformationProcess with ProcessDebugPort as the ProcessInformationClass parameter.
- IsDebuggerPresent() API anti-debugging. The easiest method to protect against debugging that determines whether custom modes debuggers, such as OllyDbg or x64dbg, debug the current process. Typically, the function only checks the “BeingDebugged” flag of the Process Environment Block (PEB).
- ProcessDebugPort anti-debugging. Allows the malware to retrieve the debugger port number for a process using ntdll!NtQueryInformationProcess(). There is a documented ProcessDebugPort class that retrieves a DWORD value of 0xFFFFFFFFFF (decimal number -1 ) if the process is debugging.
- VirtualAlloc()/GetWriteWatch() anti-debugging. It is a low-level Windows API providing many options. For example, GetWriteWatch allows you to get the addresses of the pages that have been written to since the region was allocated or the write tracking state was reset. In addition, this function can track debuggers that may modify memory pages outside of the expected pattern.
- OutputDebugString() anti-debugging. Debugger detection method based on the result of a callback. An obsolete method because it only works for Windows versions before Vista. If no debugger is present and kernel32!OutputDebugString is called, and an error occurs.
- QueryPerformanceCounter() and GetTickCount64() anti-debugging. This method retrieves the current performance counter value, which is a high-resolution time stamp (<1µs) that can be used to measure time intervals. Thus measures the delay between instructions and execution to determine if the system is running a debugger.
How dangerous is the Beep malware?
The authors of Beep malware primarily focus on evading detection, which makes it difficult for security software and researchers to detect and analyze. On the other hand, it has shown minimal and incomplete functionality for its direct purpose, i.e., stealing data and executing commands. Still, nothing stops the hackers from expanding malicious functionality. And even if this particular malware is more about being a technology demonstrator sample, it is expected to see these evasion techniques in other, more common malware samples.