Security News

Antidetect.B malware found with valid digital certificate (Jun 8,2016)

By

The Dell Sonicwall Threats Research team observed reports of a second generation of Malware family named GAV: Antidetect.B actively spreading in the wild. A recently discovered variant of the Antidetect was found to use a legitimate digital signature to avoid detection from anti-virus systems. Antidetect.B uses process injection via Microsoft Register Server and Manipulates windows registry to avoid detection. Since the malware comes with a valid digital signature, it is an extremely dangerous situation because the file is digitally signed with a valid certificate; it appears trustworthy at first glance.

Infection Cycle:

The Malware uses the following icon:

Md5:

  • 33f494d3a27ded5c85f29c91f87400e0

The Malware adds the following file to the system:

  • Malware.exe

    • %Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The malware manipulates the windows registry; even if you run Regedit.exe you would not be able to see any evidence of the malware.

Here is an example:

The malware creates UID from your system and its saves on following registry keys:

Here is an example:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.

Here is an example of the Malware injection:

The malware tries to transfers your personal information to its own C&C server such as following domains:

Command and Control (C&C) Traffic

Antidetect.B performs C&C communication over 80 and 8080 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Antidetect.B (Trojan)

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Cyber Security News & Trends – 04-19-19
Microsoft Security Bulletin Coverage (Aug 9, 2016)
Kraken 1.52 Ransomware served by compromised Anti Spyware site
WSO2 API Manager RCE Vulnerability
NETGEAR ProSAFE NMS MFileUploadController Vulnerability
Oficla Trojan spam campaigns (July 9, 2010)
Laplas Clipper Strikes Again: With Anti Analysis Techniques
Dtrack RAT targeting a Nuclear Power Plant in India