Tuesday, June 25, 2024

How Hackers Using Packers To Hide Malware & Bypass Defenses

Hackers use packers maliciously to make their code difficult to recognize, as most antivirus programs are coded to be able to recognize these packers. 

The packers initialize and encrypt the original malware payload into a new form, which is hard to detect using signature detection and also makes it hard to reverse engineer the packer itself. 

Apart from this, packers can also be used to evade security measures the techniques that can be used are code injection and process hollowing.

Cybersecurity analysts at CheckPoint recently discovered that hackers have been actively exploiting the packers to hide malware.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Technical Analysis

BoxedApp commercial packers have been increasingly abused by threat actors, who use them to spread malware, mainly targeting the financial and government sectors.

The advanced functionality of common products such as BoxedApp Packer and BxILMerge includes virtual file systems, registries, processes, API hooking, and packing, among other things.

These features allow attackers to hide their malware, bypass detection mechanisms, and make analysis difficult, researchers said.

For an application that is to be packed with BoxedApp, the format generated is a single PE binary which is then packed, and all the Destroyed Imports are solved at the run time from a TLS Callback. 

This sets up two components of the Virtual Storage: the Virtual File System and the Virtual Registry.

Consequently, ignoring calls that are not related to the current process, BoxedApp emulates I/O operations and runs them within this in-memory Virtual Storage instead of passing these calls to the operating system and writing files to disk. 

Simplified logic of BoxedApp internals (Source – Check Point)

It is also possible to make the content of the Virtual Storage file more compact through optional compression, which further hides its contents.

It can also be created by injecting the original executable file into any suspended operating system process. 

Some tools, notably BoxedApp Packer and BxILMerge, which use such possibilities, allow packing applications with their dependencies inside a single executable that launches in a virtualized environment.

When packing a .NET application with BoxedApp Packer, a particular DotNetAppStub native PE wraps the original .NET PE into the .bxpck section along with the Virtual Storage. This stub initializes BoxedApp and enables in-memory execution of the .NET PE.

BoxedApp’s virtual storage system is used by BxILMerge to merge .NET assemblies, unmanaged dependencies, and other files into a single .NET assembly.

The custom resolver of the assembly takes care of these virtual files’ input and output operations without dumping anything on the hard disk.

Though possible, statically unpacking the files from the Virtual Storage does not work as well as dynamically dumping packed PE from memory and reassembling the import address table resolved at run-time since there are instances when existing static unpacking tools do not always perform their duties reliably.

The use of BoxedApp commercial packers has seen a notable upward trend over the past year, particularly in the form of BoxedApp Packer and BxILMerge, which are used to distribute RATs and stealers.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles