Antidetect.B malware found with valid digital certificate
The Dell Sonicwall Threats Research team observed reports of a second generation of Malware family named GAV: Antidetect.B actively spreading in the wild. A recently discovered variant of the Antidetect was found to use a legitimate digital signature to avoid detection from anti-virus systems. Antidetect.B uses process injection via Microsoft Register Server and Manipulates windows registry to avoid detection. Since the malware comes with a valid digital signature, it is an extremely dangerous situation because the file is digitally signed with a valid certificate; it appears trustworthy at first glance.
The Malware uses the following icon:
The Malware adds the following file to the system:
%Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe
The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:
The malware manipulates the windows registry; even if you run Regedit.exe you would not be able to see any evidence of the malware.
Here is an example:
The malware creates UID from your system and its saves on following registry keys:
Here is an example:
Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.
Here is an example of the Malware injection:
The malware tries to transfers your personal information to its own C&C server such as following domains:
Command and Control (C&C) Traffic
Antidetect.B performs C&C communication over 80 and 8080 ports. The malware sends your system information to its own C&C server via following format, here are some examples:
We have been monitoring varying hits over the past few days for the signature that blocks this threat:
SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:
GAV: Antidetect.B (Trojan)