Monday, October 7, 2024
Homecyber securityHow Hackers Using Packers To Hide Malware & Bypass Defenses

How Hackers Using Packers To Hide Malware & Bypass Defenses

Published on

Hackers use packers maliciously to make their code difficult to recognize, as most antivirus programs are coded to be able to recognize these packers. 

The packers initialize and encrypt the original malware payload into a new form, which is hard to detect using signature detection and also makes it hard to reverse engineer the packer itself. 

Apart from this, packers can also be used to evade security measures the techniques that can be used are code injection and process hollowing.

- Advertisement - EHA

Cybersecurity analysts at CheckPoint recently discovered that hackers have been actively exploiting the packers to hide malware.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Technical Analysis

BoxedApp commercial packers have been increasingly abused by threat actors, who use them to spread malware, mainly targeting the financial and government sectors.

The advanced functionality of common products such as BoxedApp Packer and BxILMerge includes virtual file systems, registries, processes, API hooking, and packing, among other things.

These features allow attackers to hide their malware, bypass detection mechanisms, and make analysis difficult, researchers said.

For an application that is to be packed with BoxedApp, the format generated is a single PE binary which is then packed, and all the Destroyed Imports are solved at the run time from a TLS Callback. 

This sets up two components of the Virtual Storage: the Virtual File System and the Virtual Registry.

Consequently, ignoring calls that are not related to the current process, BoxedApp emulates I/O operations and runs them within this in-memory Virtual Storage instead of passing these calls to the operating system and writing files to disk. 

Simplified logic of BoxedApp internals (Source – Check Point)

It is also possible to make the content of the Virtual Storage file more compact through optional compression, which further hides its contents.

It can also be created by injecting the original executable file into any suspended operating system process. 

Some tools, notably BoxedApp Packer and BxILMerge, which use such possibilities, allow packing applications with their dependencies inside a single executable that launches in a virtualized environment.

When packing a .NET application with BoxedApp Packer, a particular DotNetAppStub native PE wraps the original .NET PE into the .bxpck section along with the Virtual Storage. This stub initializes BoxedApp and enables in-memory execution of the .NET PE.

BoxedApp’s virtual storage system is used by BxILMerge to merge .NET assemblies, unmanaged dependencies, and other files into a single .NET assembly.

The custom resolver of the assembly takes care of these virtual files’ input and output operations without dumping anything on the hard disk.

Though possible, statically unpacking the files from the Virtual Storage does not work as well as dynamically dumping packed PE from memory and reassembling the import address table resolved at run-time since there are instances when existing static unpacking tools do not always perform their duties reliably.

The use of BoxedApp commercial packers has seen a notable upward trend over the past year, particularly in the form of BoxedApp Packer and BxILMerge, which are used to distribute RATs and stealers.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...