Tuesday, July 23, 2024
EHA

Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor

[jpshare]A New technique used by Malware authors by Creating More unwanted junk file embedded with Malicious payload which leads to Avoid Detection by AV. Those unwanted Garbage files contains more than 100 MB junk files.

According to the Researchers from Kaspersky ,attacker has been using the XXMM malware toolkit and this sample has a very big overlay of junk data and 20 other similar samples are collected by YARA Rules.

This Malware identified as a Trojan loader which leads to Open a Backdoor in Victim Machine and the Backdoor name is Discovered as a “wali”

config strings with “[wali]” [souce :Kaspersky]

According to Kaspersky The size of one wali loader (MD5:d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,3,52 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

What is inside the wali loader:

its contains more then 100 MB of non related junk files  is the Reason Behind of the Wali loader’s big Size Backdoor .

According to Researchers ShadowWali was an earlier version of Wali. The fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems.

The wali loader is installed onto the victim’s machine when the overlay data is generated by the wali dropper.

Structure of wali modules [Source:Kaspersky]

“Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102″

Based Upon the Random Values Malware junk size may Differ betweek 50 MB to 200 MB.

Some of sample Malware Detected by Kaspersky,

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

 Once ShadowWali or Wali are installed, the malware injects itself into other processes.

In most infections, the process of choice has been Internet Explorer (iexplorer.exe), but there have been cases where the malware was injected into Windows Explorer (explorer.exe) and the Local Security Authority Subsystem Service (lsass.exe).

Also Researchers said, executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

Also Read:

Millions of Smartphones are Vulnerable to inject Backdoor via open Ports

A new IoT Botnet is Spreading over HTTP Port 81 and Exploit the Vulnerability in Security Cameras

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

Website

Latest articles

SonicOS IPSec VPN Vulnerability Let Attackers Cause Dos Condition

SonicWall has disclosed a critical heap-based buffer overflow vulnerability in its SonicOS IPSec VPN....

Hackers Registered 500k+ Domains Using Algorithms For Extensive Cyber Attack

Hackers often register new domains for phishing attacks, spreading malware, and other deceitful activities. Such...

Hackers Claim Breach of Daikin: 40 GB of Confidential Data Exposed

Daikin, the world's largest air conditioner manufacturer, has become the latest target of the...

Emojis Are To Express Emotions, But CyberCriminals For Attacks

There are 3,664 emojis that can be used to express emotions, ideas, or objects...

Beware Of Fake Browser Updates That Installs Malicious BOINC Infrastructre

SocGholish malware, also known as FakeUpdates, has exhibited new behavior since July 4th, 2024,...

Data Breach Increases by Over 1,000% Annually

The Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support...

UK Police Arrested 17-year-old Boy Responsible for MGM Resorts Hack

UK police have arrested a 17-year-old boy from Walsall in connection with a notorious...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles