BabbleLoader, a sophisticated malware loader, employs a multi-layered evasion strategy to bypass detection by inserting junk code, applying metamorphic transformations, and dynamically resolving APIs to evade static and dynamic analysis.
It avoids file-based scanning by loading and decrypting shellcode in memory, and it detects virtual environments to prevent sandbox analysis from occurring simultaneously.
A wide variety of user groups are exposed to a significant risk as a result of its adaptability and extensive targeting, which includes both general software cracks and tools that are specific to specific industries.
It leverages junk code and metamorphism to evade analysis by employing various techniques like adding excessive, irrelevant instructions, randomizing strings and metadata, and creating complex control flow, which hampers decompilation, analysis tool performance, and AI-based detection.
The constant variation in code structure and the overwhelming volume of junk data challenge AI models, making it difficult to identify the malware’s true behavior and leading to potential false positives and missed detections.
The malware loader dynamically resolves API calls using hashing techniques, where it first parses the export directory of ntdll.dll to obtain necessary information, and then it hashes API names and compares them to hardcoded hashes to obtain function pointers.
Using these pointers, the loader allocates memory using NtCreateSection and NtMapViewOfSection, rearranges encrypted payload chunks, and decrypts them. Before executing the decrypted payload, the loader performs anti-sandboxing checks.
By employing multiple anti-sandboxing techniques, it evades detection by checking the installed graphics adapters against a whitelist of vendors (Intel, Nvidia, AMD) to verify a genuine hardware environment.
Additionally, it attempts to detect Windows Defender’s emulation by importing functions specific to its virtualized DLLs (VDLLs). By combining these checks, BabbleLoader aims to hinder analysis and execute malicious activities undetected.
The shellcode, once executed, performs an anti-sandbox check by enumerating running processes and calculating a checksum-based uniqueness count. If this count exceeds 85, indicating a potentially legitimate system, it proceeds to the next stage.
A Donut loader is then employed to unpack and execute the final payload, which is identified as WhiteSnake, which leverages TOR for C2 communication, uniquely downloading TOR components from a specific GitHub repository.
According to Intezer, BabbleLoader, a sophisticated loader, employs advanced techniques to evade detection by security tools and utilizes layered obfuscation to confuse static and dynamic analysis tools, including AI-based systems.
By incorporating anti-sandboxing measures and rapidly adapting to evolving security landscapes, the loader significantly increases the cost of detection for security vendors.
The goal of this arms race is to maintain a persistent advantage over the other side, and it highlights the ongoing struggle that occurs between attackers and defenders.