UM Virus Detecting: Part 4 - Goodnight
Hello, I'm seb. This is a breakdown of how I identified, disrupted, and permanently shut down all known variants of a malware family known as Easy SuperInfector. At its peak, Easy SuperInfector infected over 100,000 machines in real time, averaging 700 new infections daily, primarily inside cheating communities with low system security.
Background
Easy SuperInfector was a double-hooked RAT, basically relying on people to spread it. People normally disguised it as 'HWID Spoofers' or 'Fortnite Cheats'. Most users had Windows Defender disabled and were running unsigned binaries from random Discord links. This gave Easy SuperInfector full access to install persistent backdoors, log Discord tokens, cookies, passwords, and exfiltrate data silently.
My team was originally two people: I handled detection and prevention. My partner worked on the custom build backend. At first, I was alone working on the project. The owner threatened to dox me, but I wasn't afraid because I knew I left no traces online. However, the same couldn't be said for my partner. After his dox, he had to step down, and I continued the project solo.
Static Detection (Phase One)
Initial variants were easily detectable through static signature analysis. I wrote a basic PE header scanner in C++ that looked for:
Obfuscated import tables
Suspicious section alignment
Lack of digital signatures
Encrypted payloads in
.dataor.rsrc
This was effective, until the developer behind Easy SuperInfector began packing every build, with new VM obfuscation techniques and a different stub per variant. The static method broke down completely.
Transition to Runtime Prevention (Phase Two)
Once static detection was no longer viable, I transitioned to a prevention-first model. Instead of trying to catch Easy SuperInfector after execution, I designed a system that prevented syscalls from executing unless the binary was signed by a trusted CA.
To keep it performant, I filtered by file size, ignoring massive or tiny binaries:
DLL Injection and Syscall Hooking (Phase Three)
The core prevention logic was injected via a custom DLL into suspicious processes at runtime. This DLL hooked critical syscalls used by malware — like NtWriteVirtualMemory, NtCreateThreadEx, and NtOpenProcess.
Instead of relying on LoadLibraryA, we used manual mapping:
This ensured:
Our DLL wasn't in the module list
AVs couldn't easily extract the binary
It executed earlier than the malware itself
Early Execution with TLS Callbacks
To ensure we ran before Easy SuperInfector's payloads activated, I used TLS callbacks to trigger our protection before main() or DllMain().
TLS-based injection gave us control early enough to block any API hooking or inline patching Easy SuperInfector tried.
Certificate Verification (Bypassing Local Trust)
Instead of relying on WinVerifyTrust, which could be tricked by adding certs to the root store, I implemented manual chain traversal and checked for a Microsoft root CA match only:
Results
This method didn’t just neutralize Easy SuperInfector, it also inadvertently blocked over 100 other malware families using the same syscall patterns. The Easy SuperInfector owner then quit working on this RAT.
Eventually, Easy SuperInfector's developer was arrested after his IP was breached on a forum, and was then reported on unrelated illegal child activity. But from the moment my prevention system deployed, their infection rate dropped to near-zero. Shortly before this arrest, the developer started selling user information, logged accounts and users. Cheat forums stopped reporting Easy SuperInfector logs, and the RAT’s entire Discord and web infrastructure fell apart weeks later.
Last updated