As discussed in our previous blog posts, an exploit kit (EK) is a software product sold on the underground market, designed to run on top of web servers in order to spread malware to victims browsing infected websites.

However, the malware dropped by the EK may act only as an intermediary, downloading further malicious executables after an initial foothold is established. This kind of behavior is quite common, one example is the Vawtrak banking Trojan, which is typically loaded by another piece of malware called Pony.

Bedep – Fileless Intermediate Payload

Fileless malware is a rapidly rising trend that Kaspersky Labs highlighted in their predictions for 2016. Bedep belongs this class of malware, as it runs within the browser process and leaves practically no traces of its activity, making its detection and analysis a real challenge.

It was already known to be used as an intermediate stage in EKs infection chain but lately, Palo Alto Networks’ researchers reported the discovery of a new variant, delivered by the Angler EK. This new version was modified to perform a series of tests for the presence of analysis environment before dropping ransomware and click-fraud malware.

New Bedep downloading the Vawtrak Trojan, courtesy of @Kafeine

Preventing the Stealthy Bedep with Minerva

This new variant was first uncovered by the well-known security researcher @Kafeine. In a recent posthe writes about how he noticed something odd is happening in his malware analysis setup. While analyzing a website infected with the Angler EK, he spotted major differences in Angler’s behavior between his automated analysis setup and the manual reversing station.

Further careful analysis of the infection chain proved that Kafein’s suspicions were justified – Angler dropped a never-before-seen Bedep on Kafein’s machines. Before dropping the CryptXXX ransomware it tried to determine if it is being analyzed by performing a series of tests ranging from a simple check for a registry key affiliated with VirtualBox VMs to a more complex check which tested if the malware is running in the “”correct”” context by gathering data about its parent process.

Bedep check for VirtualBox as spotted by @Kafein

Minerva Anti-Evasion Platform simulates an environment that malware sees as inhospitable, making it “feel” as though security products and forensic analysis tools are present. In a Minerva protected endpoint, Bedep “”thinks”” it is running in a virtualized environment and thus does not drop the CryptXXX ransomware or any other malicious payloads. Finally, once the malware performs its tests – a notification is generated in our OWL management server, enabling the SOC team to handle the incident, even though no infection has taken place.