How Hackers Using Packers To Hide Malware & Bypass Defenses

Hackers use packers maliciously to make their code difficult to recognize, as most antivirus programs are coded to be able to recognize these packers. 

The packers initialize and encrypt the original malware payload into a new form, which is hard to detect using signature detection and also makes it hard to reverse engineer the packer itself. 

Apart from this, packers can also be used to evade security measures the techniques that can be used are code injection and process hollowing.

Cybersecurity analysts at CheckPoint recently discovered that hackers have been actively exploiting the packers to hide malware.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Technical Analysis

BoxedApp commercial packers have been increasingly abused by threat actors, who use them to spread malware, mainly targeting the financial and government sectors.

The advanced functionality of common products such as BoxedApp Packer and BxILMerge includes virtual file systems, registries, processes, API hooking, and packing, among other things.

These features allow attackers to hide their malware, bypass detection mechanisms, and make analysis difficult, researchers said.

For an application that is to be packed with BoxedApp, the format generated is a single PE binary which is then packed, and all the Destroyed Imports are solved at the run time from a TLS Callback. 

This sets up two components of the Virtual Storage: the Virtual File System and the Virtual Registry.

Consequently, ignoring calls that are not related to the current process, BoxedApp emulates I/O operations and runs them within this in-memory Virtual Storage instead of passing these calls to the operating system and writing files to disk. 

It is also possible to make the content of the Virtual Storage file more compact through optional compression, which further hides its contents.

It can also be created by injecting the original executable file into any suspended operating system process. 

Some tools, notably BoxedApp Packer and BxILMerge, which use such possibilities, allow packing applications with their dependencies inside a single executable that launches in a virtualized environment.

When packing a .NET application with BoxedApp Packer, a particular DotNetAppStub native PE wraps the original .NET PE into the .bxpck section along with the Virtual Storage. This stub initializes BoxedApp and enables in-memory execution of the .NET PE.

BoxedApp’s virtual storage system is used by BxILMerge to merge .NET assemblies, unmanaged dependencies, and other files into a single .NET assembly.

The custom resolver of the assembly takes care of these virtual files’ input and output operations without dumping anything on the hard disk.

Though possible, statically unpacking the files from the Virtual Storage does not work as well as dynamically dumping packed PE from memory and reassembling the import address table resolved at run-time since there are instances when existing static unpacking tools do not always perform their duties reliably.

The use of BoxedApp commercial packers has seen a notable upward trend over the past year, particularly in the form of BoxedApp Packer and BxILMerge, which are used to distribute RATs and stealers.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo