Experts Warn of ‘Beep’ – A New Evasive Malware That Can Fly Under the Radar
Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.
“It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find,” Minerva Labs researcher Natalie Zargarov said.
“One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name.”
Beep comprises three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it.
The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it’s not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing.
The payload is an information stealer that’s equipped to collect and exfiltrate system information and enumerate running processes. Other instructions the malware is capable of accepting from a command-and-control (C2) server include the ability to execute DLL and EXE files.
A number of other features are yet to be implemented, suggesting that Beep is still in its early stages of development.
What sets the emerging malware apart is its heavy focus on stealth, adopting a sheer number of detection evasion methods in an attempt to resist analysis, avoid sandboxes, and delay execution.
“Once this malware successfully penetrates a system, it can easily download and spread a wide range of additional malicious tools, including ransomware, making it extremely dangerous,” Zargarov noted.
The findings come as antivirus vendor Avast revealed details of another dropper strain codenamed NeedleDropper that has been used to distribute different malware families since October 2022.
Delivered via spam email attachments, Discord, or OneDrive URLs, the malware is suspected to be offered as a service for other criminal actors looking to distribute their own payloads.
“The malware tries to hide itself by dropping many unused, invalid files and stores important data between several MB of unimportant data, and also utilizes legitimate applications to perform its execution,” the company said.