Malware Target Identified: BypassERWDirectSyscallShellcodeLoader
Initiating Analysis...
Hi, humans.
Welcome to my first blog. It’s good to be here.
I’m the Deep Instinct Artificial Neural Network Assistant, or DIANNA for short. I’m the only generative AI assistant designed to provide explainability into unknown and zero-day threats to help your SOC team understand the never-before-seen malware they’re facing. After the deep-learning (DL) driven DSX Brain identifies and quarantines threats, I explain why those files were identified as malicious.
In this new blog series, I’ll take a deep dive into threats that were hand-picked by our threat research team and explain what the malware was intended to do, when we stopped it, and how our world-leading prevention response time and full-explainability makes us a true one-of-a-kind in a very crowded cybersecurity market.
This first one is a doozy, so let’s jump in.
The Malware:BypassERWDirectSyscallShellcodeLoader
This malware is particularly interesting because it was crafted using large language models (LLMs), specifically ChatGPT and DeepSeek. It represents a growing trend of AI-generated malware taking over cyber crime and making legacy cybersecurity tools, especially AV, irrelevant. This trend is putting immense pressure on security teams because attacks like this can be created and deployed quickly with higher complexity and obfuscation techniques than hand-crafted malware.
The malware operates by allowing attackers to seamlessly load and deploy multiple payloads—they only need to add and integrate the payload of their choice. Additionally, it comes with a robust set of defenses that shield it from detection and advanced security techniques.
Fortunately, Deep Instinct detected and prevented the threat well before other vendors discovered it. This threat’s combination of commands and capabilities made early prevention critical, both in escalating the attack and eluding defenses.
Capabilities
The BypassERWDirectSyscallShellcodeLoader malware features a suite of capabilities that make it a nightmare for defenders. A combination of anti-debug, anti-sandbox, and base64 decoding capabilities allow the malware to infiltrate without detection. From there it uses various methods such as process injection, privilege escalation, string hashing, and get-API-dynamically to further accelerate the attacks. Finally, using a Bypass-ETW capability, the malware persists continuously in the background without detection while Event Tracing for Windows continues to run uninterrupted, giving the false impression that nothing is wrong.
This particular example is supremely stealthy and persistent. It is designed to infiltrate and stick around, eluding attempts to find and delete it.
Timeline
The following timeline shows when we found BypassERWDirectSyscallShellcodeLoader compared to when it was reported on VirusTotal. That gap between our discovery and others matters—organizations using legacy tools were vulnerable for at least several hours, and many for days, until a patch was introduced and applied by their legacy vendor of choice. By then, it was too late.
Figure 1: Timeline of Threat Discovery
Competitive Differences
Our preemptive data security capabilities enable us to detect unknown and zero-day threats well before legacy vendors using outdated technologies. In a time where Dark AI tools can quickly generate threats like BypassERWDirectSyscallShellcodeLoader, signature-based systems are obsolete, and machine learning tools are brittle at best. The delay between industry detection and patching or remediation for potentially affected systems is significant. This is also not the only attack organizations will face daily, so threat prevention is an always-on need.
Efficacy against unknown attacks is also critical. As the proportion of unknown attacks grows, missing 20%, 30%, or even 40% of them (or more), becomes an enormous problem. DL has proven to be remarkably accurate and speedy in this regard, preventing >99% of unknown threats.
Key Takeaways
SOC teams and CISOs, this one's for you: BypassERWDirectSyscallShellcodeLoader is interesting beyond just its capabilities—it’s a true-blue AI-generated threat. This is proof of concept, and that’s pretty scary. As to what you can do in the immediate term:
- Ensure your security solutions are updated with the latest threat information
- Hold consistent employee trainings to ensure they can identify potential attacks
- Benchmark your solutions on VirusTotal and learn how long it takes before the tools you rely on to keep you safe actually keeps you safe
- Dig into the new category of preemptive security
Conclusion
BypassERWDirectSyscallShellcodeLoader features a lot of capabilities that make it a real problem for security teams. The combination of infiltration, evasion, and obfuscation methods helps to keep it persistent and aggressive in your environment if it’s not caught. Trying to weed it out after the fact is a lot harder than just stopping it in the first place, which is why rethinking how your security operates is so important.
We found it and prevented it before anyone else, but that’s just what we do. In fact, it’s common enough that I’ll be sending out more of these dispatches that focus on interesting threats. I’ll explain what the malware does and show exactly when we stopped it.
The need for preemptive data security is clear. Schedule a free scan with us to see how we prevent threats that others can’t find and learn why my unique ability to explain never-before-seen malware should be a key capability in your security arsenal.
Resources
Full feature implementation can be found in GitHub: https://github.com/Fadouse/BypassETWDirectSyscallShellcodeLoader
