Critical Start Warns of New Beep Malware

By: Critical Start Cyber Threat Intelligence (CTI) Team

Summary: Deep Dive into a New Malware

Critical Start’s Cyber Threat Intelligence (CTI) researchers conducted a deep dive analysis on a new malware identified as Beep. This malware was originally identified within the cyber community as an information stealer. Information stealers target specific, sensitive information, such as bank account credentials, browser session cookies or valuable images and documents. However, the researchers found that the Beep malware gathers only the essential host information to allow the Command and Control (C2) server to provide additional modules and payloads compatible with the infected host, which algins the malware more closely with the functions of a botnet implant. Botnet implants are designed to provide attackers with remote access and control of the host, enabling them to take other actions on the system, including installing additional malware. In the analysis below the components of a botnet implant are identified within the attack pattern of this malware.

What is Beep Malware?

Beep is a newly discovered botnet implant malware which employs exhaustive anti-analysis and detection-evasion techniques and enables adversaries to deploy additional malware payloads onto compromised systems remotely. Beep comprises three separate components: a dropper, an injector, and the implant payload. While the methods and behavior of the sample are common in similar malware, Beep is unique due to the extensive range of techniques it uses to evade analysis and detection. The malware was named for one such technique, which involves delaying execution via the Beep API function provided by the Windows operating system. Beep appears to be in the early stages of development, with several planned features which have not yet been implemented.

Attack Pattern:

Beep has been delivered via spam email attachments, as well as via Discord and OneDrive URLs. There are three components to its infection chain, beginning with the dropper.

After performing extensive anti-analysis and sandbox-evasion techniques, the dropper (“big.dll”) creates a new registry key with an ‘AphroniaHaimavati’ value that contains a base64-encoded PowerShell script. This script is launched via a Windows scheduled task, set to trigger every 13 minutes.

This PowerShell script tries to download and run the injector component (“AphroniaHaimavati.dll”), which launches the implant component via process hollowing, disguising it as a legitimate system process (“WWAHost.exe”) to further impede detection.

The implant collects basic information—such as the OS version, processor architecture, available RAM, screen resolution, active username, and hostname—from the compromised machine. This information is encrypted and sent to the C2, enabling further commands and modules to be custom-tailored to the host.

Despite the C2 being offline at the time of analysis, researchers observed that the malware made persistent attempts to communicate with the C2, even after failing 120 times. If the process is not terminated, these attempts would likely continue indefinitely.

While multiple sources have reported that Beep’s anti-analysis and sandbox-evasion techniques are deployed by its injector, the original write-up by Minerva Labs states that these techniques are launched by the dropper prior to executing the infection chain. This aligns with observations from other similar samples.

Capabilities:

To prevent analysis, Beep scans the host to see if it is running in a sandbox, VM or debugger. If so, it terminates with no further action. Beep also obfuscates its code and encrypts communication with the C2, evading packet capture and static analysis techniques. Beep can execute commands and malware provided by the C2, such as InfoStealers, ransomware, crypto-miners, and more. Like similar implants, Beep leads to follow-on infections, impaired performance, data theft and/or loss, privacy issues, financial loss and identity theft.

Targeted Technology:

Windows Endpoint OS

Conclusion: Beep is a Threat Worth Watching

Beep is a botnet implant which focuses heavily on evasion, using multiple anti-analysis mechanisms before and during the infection chain. It enables attacker controlled C2 systems to launch further commands and malware on infected hosts. Beep is still in early development, and will likely gain new functionality as it evolves. Beep could be used for future malware campaigns, such as ransomware attacks. Despite limited operations for the moment, Beep is a threat worth watching.

Critical Start’s CTI team will continue to monitor new malware developments and work closely with the Threat Detection Engineering (TDE) team and our SOC to implement any relevant detections. For future updates on Beep and other emerging threats, follow the ZTAP® Bulletins and the Critical Start Intelligence Hub.

References