Thursday, January 23, 2025
HomeBackdoorMalware Tricks to Avoid Detection by using Big Junk Data and Activates...

Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor

Published on

SIEM as a Service

Follow Us on Google News

[jpshare]A New technique used by Malware authors by Creating More unwanted junk file embedded with Malicious payload which leads to Avoid Detection by AV. Those unwanted Garbage files contains more than 100 MB junk files.

According to the Researchers from Kaspersky ,attacker has been using the XXMM malware toolkit and this sample has a very big overlay of junk data and 20 other similar samples are collected by YARA Rules.

This Malware identified as a Trojan loader which leads to Open a Backdoor in Victim Machine and the Backdoor name is Discovered as a “wali”

config strings with “[wali]” [souce :Kaspersky]

According to Kaspersky The size of one wali loader (MD5:d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,3,52 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

What is inside the wali loader:

its contains more then 100 MB of non related junk files  is the Reason Behind of the Wali loader’s big Size Backdoor .

According to Researchers ShadowWali was an earlier version of Wali. The fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems.

The wali loader is installed onto the victim’s machine when the overlay data is generated by the wali dropper.

Structure of wali modules [Source:Kaspersky]

“Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102″

Based Upon the Random Values Malware junk size may Differ betweek 50 MB to 200 MB.

Some of sample Malware Detected by Kaspersky,

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

 Once ShadowWali or Wali are installed, the malware injects itself into other processes.

In most infections, the process of choice has been Internet Explorer (iexplorer.exe), but there have been cases where the malware was injected into Windows Explorer (explorer.exe) and the Local Security Authority Subsystem Service (lsass.exe).

Also Researchers said, executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

Also Read:

Millions of Smartphones are Vulnerable to inject Backdoor via open Ports

A new IoT Botnet is Spreading over HTTP Port 81 and Exploit the Vulnerability in Security Cameras

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Nnice Ransomware Attacking Windows Systems With Advanced Encryption Techniques

CYFIRMA's Research and Advisory team has identified a new strain of ransomware labeled "Nnice,"...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

QSC: Multi-Plugin Malware Framework Installs Backdoor on Windows

The QSC Loader service DLL named "loader.dll" leverages two distinct methods to obtain the...

Stealthy Steganography Backdoor Attacks Target Android Apps

BARWM, a novel backdoor attack approach for real-world deep learning (DL) models deployed on...

SMOKEDHAM Backdoor Mimic As Legitimate Tools Leveraging Google Drive & Dropbox

UNC2465, a financially motivated threat actor, leverages the SMOKEDHAM backdoor to gain initial access...