Cybersecurity researchers have found a new piece of evasive malware named “Beep” (just one Beep) designed to operate undetected and deliver additional payloads onto a compromised host. The authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find, reported investigators. One such technique involved delaying execution through the Beep API function, hence the malware's name.[1]
All PCs previously shared an 8254 programmable interval timer chip for generating primitive sounds. The Beep function was written specifically to emit a beep on that piece of hardware. On these older systems, muting and volume controls do not affect Beep; you would still hear the tone.
To silence the tone, you used the following commands:
- net stop beep
- sc config beep start= disabled
Since then, sound cards have become standard equipment on almost all PCs. As sound cards became more common, manufacturers began to remove the old timer chip from computers. The chips were also excluded from the design of server computers. The result is that Beep did not work on all computers without the chip. This was okay because most developers had moved on to calling the MessageBeep function, which uses the default sound device, instead of the 8254 chip.
Beep comprises three components; the first is a dropper responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it. The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it's not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing.
The payload is an information stealer to collect and exfiltrate system information and enumerate running processes. Other instructions the malware can accept from a command-and-control (C2) server include the ability to execute DLL and EXE files. Several other features are yet to be implemented, suggesting that Beep is still in its early stages of development.
What sets the emerging malware apart is its heavy focus on stealth, adopting several detection evasion methods to resist analysis, avoid sandboxes, and delay execution. Once this malware penetrates a system, it can easily download and spread a wide range of additional malicious tools, including ransomware, making it extremely dangerous.
The findings come as antivirus vendor Avast revealed details of another dropper strain codenamed NeedleDropper that has been used to distribute different malware families since October 2022. Delivered via spam email attachments, Discord, or OneDrive URLs, the malware is suspected to be offered as a service for other criminal actors looking to distribute their payloads. According to researchers, the malware tries to hide by dropping many unused, invalid files, stores important data between several MB of unimportant data and utilizes legitimate applications to perform its execution.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2023/02/experts-warn-of-beep-new-evasive.html
Comments