How Hackers Using Packers To Hide Malware & Bypass Defenses

Hackers use packers maliciously to make their code difficult to recognize, as most antivirus programs are coded to be able to recognize these packers. 

The packers initialize and encrypt the original malware payload into a new form, which is hard to detect using signature detection and also makes it hard to reverse engineer the packer itself. 

Apart from this, packers can also be used to evade security measures the techniques that can be used are code injection and process hollowing.

Cybersecurity analysts at CheckPoint recently discovered that hackers have been actively exploiting the packers to hide malware.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

Technical Analysis

BoxedApp commercial packers have been increasingly abused by threat actors, who use them to spread malware, mainly targeting the financial and government sectors.

The advanced functionality of common products such as BoxedApp Packer and BxILMerge includes virtual file systems, registries, processes, API hooking, and packing, among other things.

These features allow attackers to hide their malware, bypass detection mechanisms, and make analysis difficult, researchers said.

For an application that is to be packed with BoxedApp, the format generated is a single PE binary which is then packed, and all the Destroyed Imports are solved at the run time from a TLS Callback. 

This sets up two components of the Virtual Storage: the Virtual File System and the Virtual Registry.

Consequently, ignoring calls that are not related to the current process, BoxedApp emulates I/O operations and runs them within this in-memory Virtual Storage instead of passing these calls to the operating system and writing files to disk. 

Simplified logic of BoxedApp internals (Source – Check Point)

It is also possible to make the content of the Virtual Storage file more compact through optional compression, which further hides its contents.

It can also be created by injecting the original executable file into any suspended operating system process. 

Some tools, notably BoxedApp Packer and BxILMerge, which use such possibilities, allow packing applications with their dependencies inside a single executable that launches in a virtualized environment.

When packing a .NET application with BoxedApp Packer, a particular DotNetAppStub native PE wraps the original .NET PE into the .bxpck section along with the Virtual Storage. This stub initializes BoxedApp and enables in-memory execution of the .NET PE.

BoxedApp’s virtual storage system is used by BxILMerge to merge .NET assemblies, unmanaged dependencies, and other files into a single .NET assembly.

The custom resolver of the assembly takes care of these virtual files’ input and output operations without dumping anything on the hard disk.

Though possible, statically unpacking the files from the Virtual Storage does not work as well as dynamically dumping packed PE from memory and reassembling the import address table resolved at run-time since there are instances when existing static unpacking tools do not always perform their duties reliably.

The use of BoxedApp commercial packers has seen a notable upward trend over the past year, particularly in the form of BoxedApp Packer and BxILMerge, which are used to distribute RATs and stealers.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 

Tushar Subhra Dutta

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Hackers Claiming Dettol Data Breach: 453,646 users Impacted

A significant data breach has been reported by a threat actor known as 'Hana,' who claims to have compromised the…

2 days ago

CrowdStrike Update Triggers Widespread Windows BSOD Crashes

A recent update from cybersecurity firm CrowdStrike has caused significant disruptions for Windows users, leading to widespread reports of Blue…

2 days ago

Operation Spincaster Disrupts Approval Phishing Technique that Drains Victim’s Wallets

Chainalysis has launched Operation Spincaster, an initiative to disrupt approval phishing scams that have drained billions from victims' wallets. This…

2 days ago

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems…

3 days ago

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and often have extensive community support, making…

3 days ago

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are largely employed for communication and collaboration,…

3 days ago