Pierluigi Paganini February 15, 2023

Experts detected a new evasive malware dubbed Beep, it implements many anti-debugging and anti-sandbox techniques.

Researchers from Minerva recently discovered a new evasive malware dubbed Beep, which implements many anti-debugging and anti-sandbox techniques.

The name Beep comes from the use of techniques involved in delaying the execution through the use of the Beep API function.

The experts noticed several new samples that were uploaded to VirusTotal (VT) as .dll, .gif or .jpg files. The samples were labeled as ‘spreader’ and ‘detect-debug-environment’ by VT and were used to drop additional payloads.  

“Once we dug into this sample, we observed the use of a significant amount of evasion techniques. It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find.” reads the analysis published by the experts. “One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name.” 

After performing anti-debugging and anti-vm checks, the malware dropper creates a new Windows Registry key and executes a Base64-encoded PowerShell script stored in the value (named ‘AphroniaHaimavati’) of the key.

In turn, the PowerShell script retrieves an injector from a remote server, which extracts and launches the payload using the Process Hollowing injection technique.

The attack chain ends by dropping an information stealer on the victim’s system, it supports multiple commands, some of which are not yet implemented, including:

• balancer – not implemented yet. 
• init – not implemented yet. 
• screenshoot – appears to collect the process list. 

• task – not implemented yet. 
• destroy – not implemented yet. 
• shellcode – executes additional shellcode. 
• dll – executes a dll file. 
• exe – executes a .exe file. 

• Additional – collects additional info. 
• knock_timeout – changes C&C “keep-alive” intervals. 

The experts pointed out that once the Beep malware has infected a system, it can be used to spread a wide range of additional malicious payloads and hacking, including ransomware.

“The new Beep malware’s efforts to evade detection set it apart from other malware. The sheer number of evasive techniques it implements to avoid sandboxes, VMs, and other debugging techniques is not often seen.” concludes the report which also includes Indicators of Compromise (IoCs) for this emerging threat.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Beep malware)