Novel rootkit spyware

[janice10]

this is some novel spyware undetectable by all av.

its is very persistent spyware survive external bios flash,  disk replacement.

targeting arm64 x86  architecture and all operating systems linux, macos including m1, windows ,android , ios .

spread by some zero day exploits ble, usb , smb .

 

in usb case it spread by exploiting, abusing  iso 9660 joliet format misplace files . so the usb become a dud and open insertion it flash some firmware bypassing all current antivirus detections.

it escalate privileges in user mode and also flash various bios firmwares asus lenovo etc.. , replace host system by virtual machine. for m1 macbooks its using m1n1 bootloader and asahi linux as hypervisor. in windows systems its using hyper-v as hypervisor. it install windows server functionalities and setup domain policies azure ad... and is also using "system Application Compatibility Toolkit" with many rules to protect against detections beside group policies and ring0 hooks.

functionalities are many ip traffic monitoring , keyboard loggin and many more. in some cases in user mode it use many third parties rmm systems and sometimes some junk code.

 

hypervisor memory footprint across all system is maximum 500mb.

this is dumped windows 11 arm64 from installation iso in with replaced and inserted files from the spyware.

interesting files are .efi's, as it replace original windows boot files . for linux's it replace grub files. 

 

also i would advise against loading in oracle virtualbox it seems to escape virtualbox latest vesions.

 

“https://mega.nz/file/IrQwWBoT#5uYkDoiKcTe6PO7GablG3EEhvPrHeMdpidgZ62o7qhc”

 

 

 

Edited May 2 by Berny
Link disabled

[Berny]

@janice10 Welcome.

Please contact Kaspersky Technical Support 

→ https://support.kaspersky.com/b2c#contacts 

→ Contact us → Product help → E-mail → Contact Support

→ Form → Request Type ? → Select "Malware"

→ Contact Support