We’re still seeing unusual API calls, but recent variants have two slight variations on this theme. Firstly they check memory for the presence or absence of a “nop” instruction, partly in order to throw emulators even further off the scent. Secondly they’re using new offsets to pluck numbers directly from the operating system. The following example uses both of these tactics:
These files are detected proactively as Troj/Pushdo-Gen, and the files it drops and injects are all detected as Troj/Pushu-Gen. In the latest variants we get more than usual of these layers, though looking at the debug symbol they use helps us anchor them as before: the dropper injects a sys file into memory (Install.pdb), which drops a second sys file to disk (protect.pdb), which injects a third sys file into memory (InnerDrv.pdb), which injects a fourth sys file into memory (Loader.pdb).
Each of the files in this chaotic chain has a chilly subtext similar to before, in a boring “sequel” fashion:
Is “Siberia3” next, or can we expect a spin-off perhaps? Stay tuned for further developments.