New Malware Employs Crazy Obfuscation Techniques to Evade Anti-Virus Detection


Security researchers have recently identified a new malware strain that employs advanced obfuscation techniques to evade detection by antivirus software.

The malware, encapsulated in a file named “crypted.bat,” was found to be undetectable by major antivirus engines, raising concerns about the increasing challenges in cybersecurity.

EHA

Discovery and Initial Analysis

The malware was first spotted by a security analyst who noted its complete evasion of antivirus detection on VirusTotal, a popular online service for scanning files for viruses.

The file, identified by its SHA256 hash (453c017e02e6ce747d605081ad78bf210b3d0004a056d1f65dd1f21c9bf13a9a), utilized UTF-16 encoding as its initial layer of obfuscation, making it difficult for reverse engineers to analyze the code.

The malware employs several sophisticated obfuscation techniques. One notable method involves the use of empty environment variables within batch scripts.

These variables, when processed by Windows, are ignored, effectively concealing the malware’s true operations. Additionally, the script dynamically generates labels and jumps between them, further complicating analysis.

Upon execution, the malware deploys a static Python environment and establishes persistence via a scheduled task. This task ensures that the malware is re-executed at every system logon.

The payload, downloaded from a remote server, is heavily obfuscated Python code designed to perform code injection using the process hollowing technique.

According the SANS report, The malware uses a series of API calls to perform classic code injection. It creates a random process from a list of legitimate Windows processes, such as “notepad.exe” or “svchost.exe,” in a suspended state.

The malicious code is then injected into this process, allowing the malware to operate under the guise of a legitimate application.

Further analysis revealed that the malware communicates with a command and control (C2) server located at 15.235.176.64:7000. The communication is encrypted using AES, with a specified key, ensuring that data exchanged between the malware and the server remains secure from interception.

This discovery underscores the growing complexity and sophistication of modern malware.

The use of advanced obfuscation techniques not only challenges traditional antivirus solutions but also necessitates the development of more robust cybersecurity measures.

As attackers continue to innovate, the cybersecurity community must remain vigilant and adaptive to protect against these evolving threats.

Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-Day Free Trial



Source link