Novel Malicious code evasion method for AI/ML based detection


The SonicWall Capture Labs Threat Research team has observed Remcos RAT (Remote Access Trojan) being distributed by adding malicious code in existing open-source software. This appears to be an attempt to evade Security products which are based on Machine Learning / Artificial Intelligence as most of the machine code will be same to that of the clean application code. The malicious code also has anti-sandboxing and anti-emulation features added to it. This further helps in evading Security products.

Binary Comparison with clean application

In the malware sample that we have analyzed, we noticed that the legitimate code was taken from TightVNC Software, which is free and Open-Source remote desktop software that lets you access and control a computer over the network. The source is available on the website downloads page. Below image is the comparison of the analyzed sample against a clean TightVNC viewer (2.8.81) application, which shows approximately 90% of the code is similar in both these files.

Fig1: Binary comparison the sample with the clean binary (TightVNC viewer.exe)

Malicious code Analysis

On analyzing the malware sample binary code, it is observed that a malicious function, which has code to load required DLLs (kernel32.dll, wininet.dll, etc.,) to download additional payloads, has been added to the legitimate source code before compilation. The malicious code is placed in such a way that it gets executed always and exits with an error message if it encounters any failure in the checks (filename not matching, download failing etc.,)

Fig-2: Left side is the original clean code and right side is the decompiled code from the malware

Below is the image which shows that the malicious function is exclusively available in the sample only.

Fig-3: Showing that malicious code does not have a matching function in clean binary

Infection Cycle

The malware code is obfuscated, and it uses anti-emulation and anti-sandbox techniques to evade detection in a controlled environment. The malware terminates the execution by displaying an error message while executed in the controlled environment:

Fig4: Code displays error message in controlled environment

Anti-Sandboxing feature

The malware retrieves its own executable file name and calculates a checksum value by adding each alphabet’s ascii value in the filename. If the checksum value is either 0x7AE or 0x718 then malware continues execution otherwise the malware terminates itself. The corresponding filename for the checksum value 0x7AE is “patchSvc_beta_v2.exe” and filename length must be 0x14. The filename length for checksum value 0x718 must be 0x12. Below is the code to calculate the checksum and filename length:

Fig5: Code calculates and compares checksum of its own executable

Anti-Emulation feature

The malware downloads a PNG image file from Unified Resource Locator (URL) h[t][t]ps:// by setting user agent value as “spirochete” to the web request:

Fig6: Code downloads a PNG image from an URL

Initial 0x20 bytes from the downloaded PNG image file are used to decrypt the API name “InitOnceExecuteOnce”. The malware retrieves the address of API “InitOnceExecuteOnce” using GetProcAddress and invokes this API by passing argument of the next executable module of the malware. Because the API name is dynamically decrypted using the downloaded image file bytes, this acts as an anti-emulation / anti-analysis feature when the URL is not serving any data or is unreachable.

Fig7: Code decrypts an API name using downloaded data

Next the malware resolves the address and invokes the “VirtualProtect” API by the same manner, it used to execute the “InitOnceExecuteOnce” API. The malware modifies the memory protection to PAGE_EXECUTE_READWRITE to decrypt the next layer code using a hardcoded key and again modifies the memory protection to PAGE_EXECUTE_READ before transferring control to the decrypted code:

Fig8: Code decrypts next layer malicious code

Next the malware drops ASUS software component files into “%APPDATA%\TaskWordpad_test” along with malicious DLL file “AsIO.dll.” The malware executes the “atkexComSvc.exe” which loads malicious DLL file “AsIO.dll” and further executes and injects Remcos malware into explorer.exe:

Fig9: Code does create process for a dropped file

Fig10: Process execution sequence

Remcos is a well-known Remote Access Trojan (RAT) which collects various information from the victim’s machine including executable’s name, computer name, Windows version, RAM information and key logs etc., The malware keeps the Remcos data into registry entry “HCU\Software\Rmc-OPX7KW.” Please refer here for detailed analysis of Remcos RAT.

Fig11: Remcos data stored in the registry entry

The malware keeps the keylogging information into file “C:\ProgramData\remcos\logs.dat” and sends the stolen data to the C&C server “”:

Fig12: File stores keystrokes information

Detection by Security Products

For the first few initial days when the sample was submitted to VirusTotal, it can be observed that there were virtually no detections, which only slowly improved over time. This shows that malware can evade ML/AI based security products during the initial days of propagation by hiding inside a legitimate application code.

Fig13: detections on VirusTotal over time

This threat is detected by SonicWALL Capture ATP with RTDMI.



  • 6e07b6ef7a182f367f596cbe4baa148336fa7e7592166ce51e483db81221e220

Network Connections:

  • h[t][t]ps://
  • h[t][t]ps://

User Agent:

  • spirochete
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.