Process Exits Instead Of Malware Self-Destructing.

 

Well, there are dozens of techniques and tactics that malware developers or threat actors use to stay under the radar. Some of these techniques are for VM detection, while others are designed to detect analysis software.

In recent years, malware developers or threat actors have implemented mechanisms that check for installed software. For example, if the malware detects applications like wireshark.exe or ida.exe, it would automatically self-destruct. But now the game has changed.

Threat actors no longer use self-destruction even when security tools are present on the system. Instead, they terminate specific analysis tools while the malware is running.

Here's what happened: The story began while I was conducting dynamic analysis of a BlackNet sample. To be honest, I wasn't fully prepared for malware analysis at the time . I was just testing some custom Sysmon rules against this botnet.

While analyzing, I found some hashes. I copied one and opened Microsoft Edge to search it on VirusTotal. But after a few seconds, my browser closed by itself! That got my attention, so I repeated the process several times. Eventually, I realized the malware was using a mechanism to detect and interfere with my actions . something I hadn’t noticed in the sample during static analysis.

Even though I had the full static code analyzed, I didn't observe this behavior in runtime. I tried process monitoring, checked command-line arguments, and used several sandboxes, but none of that worked.

My final step was to reverse-engineer the malware to see what was happening behind the scenes. I checked the %TEMP% folder and copied the executable files dropped by the first-stage payload. But again, that didn’t work . those executables were actually converted from batch scripts using a BAT-to-EXE converter.

Eventually, I got my hands on an unpacked sample of the BlackNet malware. I dragged it into dnSpy to inspect the anti-debugging and anti-analysis modules. And let me tell you what I found :

So instead of looking for analysis tools and triggering self-destruction, the threat actor simply kills the running process. One of the novel and clever techniques used here involves checking the window title.

For example, the page title of VirusTotal is "VirusTotal". So when you open your browser and navigate to virustotal[.]com, the malware monitors running processes like chrome.exe or msedge.exe, and checks their window titles. If the window title matches any value in its internal list (let's call it array2), it immediately terminates the process . in this case, your browser.

Checking for Security Analysis Toolkit :

Checking the window title of specific software processes to determine if they match any names in the security analysis tools list. If a match is found, the malware kills the process instead of self-destructing.

Thank you .