Thursday, April 17, 2025
HomeBackdoorMalware Tricks to Avoid Detection by using Big Junk Data and Activates...

Malware Tricks to Avoid Detection by using Big Junk Data and Activates a Backdoor

Published on

SIEM as a Service

Follow Us on Google News

[jpshare]A New technique used by Malware authors by Creating More unwanted junk file embedded with Malicious payload which leads to Avoid Detection by AV. Those unwanted Garbage files contains more than 100 MB junk files.

According to the Researchers from Kaspersky ,attacker has been using the XXMM malware toolkit and this sample has a very big overlay of junk data and 20 other similar samples are collected by YARA Rules.

This Malware identified as a Trojan loader which leads to Open a Backdoor in Victim Machine and the Backdoor name is Discovered as a “wali”

- Advertisement - Google News

config strings with “[wali]” [souce :Kaspersky]

According to Kaspersky The size of one wali loader (MD5:d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,3,52 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

What is inside the wali loader:

its contains more then 100 MB of non related junk files  is the Reason Behind of the Wali loader’s big Size Backdoor .

According to Researchers ShadowWali was an earlier version of Wali. The fact that ShadowWali only supported 32-bit architectures, while Wali runs on both 32-bit and 64-bit systems.

The wali loader is installed onto the victim’s machine when the overlay data is generated by the wali dropper.

Structure of wali modules [Source:Kaspersky]

“Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102″

Based Upon the Random Values Malware junk size may Differ betweek 50 MB to 200 MB.

Some of sample Malware Detected by Kaspersky,

  • Trojan.Win32.Xxmm
  • Trojan.Win64.Xxmm
  • Trojan-Downloader.Win32.Xxmm
  • Trojan-Downloader.Win64.Xxmm
  • Trojan-Dropper.Win32.Xxmm
  • Trojan-Dropper.Win64.Xxmm

 Once ShadowWali or Wali are installed, the malware injects itself into other processes.

In most infections, the process of choice has been Internet Explorer (iexplorer.exe), but there have been cases where the malware was injected into Windows Explorer (explorer.exe) and the Local Security Authority Subsystem Service (lsass.exe).

Also Researchers said, executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

Also Read:

Millions of Smartphones are Vulnerable to inject Backdoor via open Ports

A new IoT Botnet is Spreading over HTTP Port 81 and Exploit the Vulnerability in Security Cameras

Mass Scan Revealed More Than 30000 Windows Computers Infected by NSA backdoor DoublePulsar

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Ransomware Attacks Surge 126%, Targeting Consumer Goods and Services Sector

The cybersecurity landscape witnessed a dramatic escalation in ransomware attacks, marking a concerning trend...

CrazyHunter Hacker Group Exploits Open-Source GitHub Tools to Target Organizations

A relatively new ransomware outfit known as CrazyHunter has emerged as a significant threat,...

Threat Actors Leverage Cascading Shadows Attack Chain to Evade Detection and Hinder Analysis

A sophisticated multi-layered phishing campaign was uncovered, employing a complex attack chain known as...

Microsoft Vulnerabilities Reach Record High with Over 1,300 Reported in 2024

The 12th Edition of the Microsoft Vulnerabilities Report has revealed a significant surge in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Kaspersky Shares 12 Essential Tips for Messaging App Security and Privacy

In an era where instant messaging apps like WhatsApp, Telegram, Signal, iMessage, Viber, and...

Top 10 Best Penetration Testing Companies in 2025

Penetration testing companies play a vital role in strengthening the cybersecurity defenses of organizations...

WinRAR 7.10 Latest Version Released – What’s New!

The popular file compression and archiving tool, WinRAR 7.10, has released with new features,...