Malware developers sometimes resort to several unusual techniques for avoiding detection by antivirus solutions or researchers in the field of cybersecurity. An example of this is the author of malicious families XXMM, ShadowWali and Wali, hiding malicious code in files, the sizes of which can vary from 50 MB to 200 MB (mainly due to "garbage" data). This is rather strange, since usually the size of malware is only a few KB.

According to some experts, the creator of XXMM, ShadowWali and Wali (someone under the pseudonym 123) mistakenly believes that by introducing malware into large files, it can avoid checking with security solutions that will not scan them, considering legitimate applications. According to another theory, thus 123 seeks to avoid detection by scanners of companies specializing in cybersecurity, which very often track only small files of several KB.

The first attacks using the backdoor XXMM, aimed primarily at organizations in Japan and South Korea, were seen in 2015. The next backdoor, Wali, Kaspersky Lab experts described in mid-April this year, and two weeks later, Cybereason specialists discovered another malicious family called ShadowWali.

As the researchers believe, ShadowWali is an early version of Wali. This conclusion is based on the fact that both pests have similar functionality, but the former supports only 32-bit architecture, whereas Wali can work on 32- and 64-bit systems.

After installing on the system, malware is introduced into the processes explorer. Exe (Windows Explorer) and lsass. Exe (Local Security Authority Subsystem Service). Further, malicious programs load tools, including the Mimkatz module, for stealing credentials from the target computer and examining the local network. The stolen data 123 is used to advance the network and search for other important information. Why the virus writer abducts data is currently unknown.