Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender associated with data stealing malware. It may flag this malware due to the specific behavior patterns, assigning that name even to malicious programs of well-known families. As the Defender uses machine learning for this detection, it can sometimes be a false positive.
Trojan:Win32/Bearfoos.B!ml Overview
Trojan:Win32/Bearfoos.B!ml is a detection of Microsoft Defender AI system for infostealer malware and spyware. Typically, the malware this detection flags belongs to a broader family, but may as well mean a small-batch virus. Reason for the detection is a specific behavior pattern that the AI system has spotted, which means it is not really clear what exactly caused it. Bearfoos embeds itself deeply into the system, often unnoticed by the user. It targets cookies, password databases, cryptocurrency wallets, and other sensitive information stored on the infected system.
Once the data is collected, the malware transmits it to a command-and-control server, then enters a dormant state, waiting for further commands. This allows it to remain undetected for extended periods. In addition to data theft, Bearfoos can log keystrokes, take screenshots, record video or audio using the system’s peripherals, and perform other spying activities.
Trojan:Win32/Bearfoos.B!ml spreads using methods typical for this type of malware. Most commonly, it is distributed through game cheats, mods, and dubious utilities. The second most common method of distribution is email spam.
Technical Analysis
Let’s break down how Trojan:Win32/Bearfoos.B!ml behaves in an infected system. The particular sample that I review appears to be an offshoot of AgentTesla spyware. I’ll try to explain the most important aspects of this threat as clearly as possible.
Upon infiltrating the system, the malware performs checks in the following locations for the presence of sandboxes and debuggers. This is a typical step that malware does to avoid analysis and “useless” infections.
C:\drivers\etc\hosts
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\machine.config
C:\Windows\system32\VERSION.dll
Gaining Persistence
After that, it drops its own copy to the AppData/Roaming folder and assigns it a random name. In my case, it was vzCravLx.exe. Next, the malware checks Microsoft Defender settings:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableScriptScanning
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiVirus
These registry values pertain to various components of the system’s anti-malware protection settings. The malware checks these settings to understand the system’s security posture and plan further actions. In our scenario, when the Defender settings were not altered by default, Bearfoos proceeded to alter Defender. It executes this selection of commands:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vzCravLx" /XML "C:\Users\
This is what provides persistence to the malware. With the first command, it excludes the path to its own executable and from Microsoft Defender scanning. The second command calls for the creation of a task in Task Scheduler to run the malware every once in a while. After that, Bearfoos a.k.a AgentTesla deletes the original file and keeps operating only with these protected duplicates.
Data Collection
The next phase involves the collection of sensitive information. First of all, the malware checks a selection of files that belong to web browsers, seeking for passwords, cookies and session tokens. Here is the list of browsers in question:
- 360Chrome
- Microsoft Edge
- 7Star
- Amigo
- Brave Browser
- Citrio
- CentBrowser
- Chedot
- Chromium
- Orbitum
- CocCoc Browser
- Comodo Dragon
- Coowon
- Elements Browser
- Epic Privacy Browser
- Sleipnir5 (Fenrir Inc)
- Iridium
- Kometa
- ChromePlus (MapleStudio)
As we can see, these locations mainly consist of user data from Chromium-based web browsers. Aside from them, malware crawls credentials from desktop mailing clients and some FTP/VPN applications.
Command & Control Server
The Bearfoos trojan sends HTTP requests to the following addresses to download various files, including a CAB file from the Windows Update server and certificates from Sectigo and Microsoft:
GET http://download.windowsupdate.com/d/msdownload/update/others/2015/05/17930914_a3b333eff1f0428f5a2c87724c542504821cdbd8.cab
GET http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt 200
GET http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c 200
GET http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt 200
GET http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt 200
These requests might be attempts to disguise malicious activity as legitimate actions. The malware also resolves DNS names for several domains, including the legitimate download.windowsupdate.com, and potentially suspicious domains such as mail.commtechtrading[.]com and chir104.websitehostserver[.]net. These latter domains could be part of its command-and-control (C2) infrastructure used for data exfiltration. The malware establishes the following TCP/UDP connections with various IP addresses:
TCP 23.53.122.213:80
TCP 173.236.63.6:587
TCP 20.99.133.109:443
TCP 23.216.147.71:80
TCP 23.216.81.152:80
UDP 192.168.0.12:137
After completing the data exfiltration, the malware enters a waiting mode, listening for commands from the C2 server. During this standby period, it continues to collect data, capturing keystrokes, taking screenshots, and recording audio and video from peripheral devices.
Is Trojan:Win32/Bearfoos.B!ml a False Positive?
As I mentioned earlier, the detection of Trojan:Win32/Bearfoos.B!ml is performed using Microsoft Defender’s AI-based system. However, this method is prone to false positives, and legitimate files, such as those associated with recently updated games or programs, are often mistakenly flagged as malicious. In particular, it is often to see false positives in small-batch programs from GitHub, certain emulator apps, and in some bizarre cases even own Windows files.
While it is easy to spot a false positive with a program that you know and trust, doing so with a less familiar app may be problematic. If you are not sure about the source and developer, bold guessing may be a particularly destructive practice. That is why a second opinion anti-malware scan is needed.
How to Remove Trojan:Win32/Bearfoos.B!ml?
To remove Bearfoos.B!ml trojan or check whether it is a real detection, I recommend using GridinSoft Anti-Malware. This program is not vulnerable to malware attacks as Microsoft Defender, and will easily spot even the most recent malware samples, thanks to its multi-component detection system. Follow the guide below to get your system as good as new.
Download and install Anti-Malware by clicking the button below. After the installation, run a Full scan: this will check all the volumes present in the system, including hidden folders and system files. Scanning will take around 15 minutes.
After the scan, you will see the list of detected malicious and unwanted elements. It is possible to adjust the actions that the antimalware program does to each element: click "Advanced mode" and see the options in the drop-down menus. You can also see extended information about each detection - malware type, effects and potential source of infection.
Click "Clean Now" to start the removal process. Important: removal process may take several minutes when there are a lot of detections. Do not interrupt this process, and you will get your system as clean as new.
