Thursday, February 27, 2025
Follow us On Linkedin
HomeBackdoorMalware Tricks to Avoid Detection by using Big Junk Data and Activates...

Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor

BackdoorWhat is

Published on

By Balaji
Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

[jpshare]A New technique used by Malware authors by Creating More unwanted junk file embedded with Malicious payload which leads to Avoid Detection by AV. Those unwanted Garbage files contains more than 100 MB junk files.

According to the Researchers from Kaspersky ,attacker has been using the XXMM malware toolkit and this sample has a very big overlay of junk data and 20 other similar samples are collected by YARA Rules.

This Malware identified as a Trojan loader which leads to Open a Backdoor in Victim Machine and the Backdoor name is Discovered as a “wali”

config strings with “[wali]” [souce :Kaspersky]

According to Kaspersky The size of one wali loader (MD5:d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,3,52 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

What is inside the wali loader:

its contains more then 100 MB of non related junk files  is the Reason Behind of the Wali loader’s big Size Backdoor .

According to Researchers ShadowWali was an earlier version of Wali. The fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems.

The wali loader is installed onto the victim’s machine when the overlay data is generated by the wali dropper.

Structure of wali modules [Source:Kaspersky]

“Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102″

Based Upon the Random Values Malware junk size may Differ betweek 50 MB to 200 MB.

Some of sample Malware Detected by Kaspersky,

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

 Once ShadowWali or Wali are installed, the malware injects itself into other processes.

In most infections, the process of choice has been Internet Explorer (iexplorer.exe), but there have been cases where the malware was injected into Windows Explorer (explorer.exe) and the Local Security Authority Subsystem Service (lsass.exe).

Also Researchers said, executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

Also Read:

Millions of Smartphones are Vulnerable to inject Backdoor via open Ports

A new IoT Botnet is Spreading over HTTP Port 81 and Exploit the Vulnerability in Security Cameras

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Apple

New “nRootTag” Attack Turns 1.5 Billion iPhones into Free Tracking Tools

Security researchers have uncovered a novel Bluetooth tracking vulnerability in Apple’s Find My network...
Cyber Security News

Authorities Arrested Hacker Behind 90 Major Data Breaches Worldwide

Cybersecurity firm Group-IB, alongside the Royal Thai Police and Singapore Police Force, announced the...
Cisco

Cisco Nexus Vulnerability Allows Attackers to Inject Malicious Commands

Cisco Systems has issued a critical security advisory for a newly disclosed command injection...
Cyber Security News

New Wi-Fi Jamming Attack Can Disable Specific Devices

A newly discovered Wi-Fi jamming technique enables attackers to selectively disconnect individual devices from...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

Cyber Security News

WinRAR 7.10 Latest Version Released – What’s New!

The popular file compression and archiving tool, WinRAR 7.10, has released with new features,...
Backdoor

Lazarus Hackers Tamper with Software Packages to Gain Backdoor Access to the Victims Device

A recent investigation conducted by STRIKE, a division of SecurityScorecard, has unveiled the intricate...
Backdoor

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2024 GBHackers On Security - All Rights Reserved