SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Antidetect.AB , a Malware uses Microsoft Register Server to avoid detection by Anti-Virus programs.



Description


The Dell Sonicwall Threats Research team observed reports of a New Malware family named GAV: Antidetect.AB actively spreading in the wild. This time attacker uses Microsoft Register Server and Manipulates windows registry to avoid detection by Anti-Virus programs.

Infection Cycle:

The Malware uses the following icon:

Md5:

  • 9d994203fc51b31aa3f661a1dfe5374b

The Malware adds the following file to the system:

  • Malware.exe

    • %Userprofile%\Local Settings\Application Data\[Random Name]\[Random Name].exe

The Malware adds the following keys to the Windows registry to ensure persistence upon reboot:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

The malware manipulates the windows registry; even if you run Msconfig.exe or Regedit.exe you would not be able to see any evidence of the malware.

Here is an example:

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\Local Settings\Application Data\ folder With Random name and then injects Regsvr32.exe to collects information from target system.

Here is an example of the Malware injection:

The malware tries to transfers your personal information to its own C&C server such as following domains:

Command and Control (C&C) Traffic

Antidetect.AB performs C&C communication over 80 and 443 ports. The malware sends your system information to its own C&C server via following format, here are some examples:

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature:

  • GAV: Antidetect.AB (Trojan)




Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.7 | S2MSW03