Antidetect.B malware found with valid digital certificate

June 9, 2016

The Dell Sonicwall Threats Research team observed reports of a second generation of Malware family named GAV: Antidetect.B actively spreading in the wild. A recently discovered variant of the Antidetect was found to use a legitimate digital signature to avoid detection from anti-virus systems. Antidetect.B uses process injection via Microsoft Register Server and Manipulates windows registry to avoid detection. Since the malware comes with a valid digital signature, it is an extremely dangerous situation because the file is digitally signed with a valid certificate; it appears trustworthy at first glance.

Infection Cycle:

The Malware uses the following icon:

Md5:

  • 33f494d3a27ded5c85f29c91f87400e0

The Malware adds the following file to the system:

  • Malware.exe

    • %Userprofile%Local SettingsApplication Data[Random Name][Random Name].exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

  • HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun

The malware manipulates the windows registry; even if you run Regedit.exe you would not be able to see any evidence of the malware.

Here is an example:

The malware creates UID from your system and its saves on following registry keys:

Here is an example:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%Local SettingsApplication Data folder With Random name and then injects Regsvr32.exe to collects information from target system.

Here is an example of the Malware injection:

The malware tries to transfers your personal information to its own C&C server such as following domains:

Command and Control (C&C) Traffic

Antidetect.B performs C&C communication over 80 and 8080 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Antidetect.B (Trojan)