Antidetect.AB , a Malware uses Microsoft Register Server to avoid detection by Anti-Virus programs.
The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Antidetect.AB actively spreading in the wild. This time attacker uses Microsoft Register Server and Manipulates windows registry to avoid detection by Anti-Virus programs.
Infection Cycle:
The Malware uses the following icon:
Md5:
-
9d994203fc51b31aa3f661a1dfe5374b
The Malware adds the following file to the system:
-
Malware.exe
-
%Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe
-
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
-
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun
-
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
The malware manipulates the windows registry; even if you run Msconfig.exe or Regedit.exe you would not be able to see any evidence of the malware.
Here is an example:
Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.
Here is an example of the Malware injection:
The malware tries to transfers your personal information to its own C&C server such as following domains:
Command and Control (C&C) Traffic
Antidetect.AB performs C&C communication over 80 and 443 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
-
GAV: Antidetect.AB (Trojan)