Cybersecurity researchers have uncovered a surge in the use of Advanced Encryption Standard (AES) encryption by threat actors to shield malicious payloads from detection.
This technique, combined with code virtualization and staged payload delivery, is being employed by malware families such as Agent Tesla, XWorm, and FormBook/XLoader to evade static analysis tools and sandbox environments.
Multi-Layered Obfuscation: A Technical Breakdown
Malware developers are leveraging sophisticated obfuscation methods to protect their payloads.
At the forefront is AES encryption, a symmetric block cipher that encrypts data using a shared key.
Unlike simpler methods such as XOR encryption, AES offers robust security by transforming plaintext into ciphertext through multiple rounds of substitution and permutation.
In the observed samples, AES operates in Cipher Block Chaining (CBC) mode, ensuring that each block of plaintext is encrypted with a unique initialization vector (IV), further complicating decryption efforts.
The initial stage of these malware samples involves embedding encrypted payloads within the Portable Executable (PE) overlay.
This area of the file, often overlooked by static analysis tools, contains key cryptographic parameters such as the AES key and IV, delimited by specific markers.
These parameters are padded with arbitrary sequences to evade signature-based detection systems.
Following decryption, the second stage employs code virtualization using KoiVM, a plugin for the ConfuserEx obfuscation tool.
This technique converts standard code into a proprietary intermediate language that can only be executed by a custom virtual machine (VM).
The VM’s dispatcher routes instructions to specialized handlers, making reverse engineering extremely challenging for analysts.
The Stage 2 payload acts as a dropper, decrypting and loading the final malicious code into memory.
Final Payload Execution: A Stealthy Approach
The final stage involves executing the decrypted payload directly in memory, bypassing traditional file-based detection methods.
The payloads analyzed predominantly belong to the Agent Tesla and XWorm families, with some samples delivering FormBook/XLoader shellcode.
Notably, XWorm further encrypts its configuration parameters using AES in Electronic Codebook (ECB) mode, with hardcoded keys stored within the malware’s variables.
According to Unit 42 researchers, these multi-staged techniques allow threat actors to dynamically load and execute malicious code while evading detection mechanisms.
By leveraging .NET reflection capabilities, malware can introduce new objects or manipulate existing ones at runtime, further complicating analysis.
The adoption of advanced obfuscation techniques underscores the evolving sophistication of cyber threats.
Traditional static analysis tools face significant challenges in detecting such multi-layered malware.
Security solutions must adapt by incorporating behavioral analytics and machine learning to identify anomalies during runtime.
The solutions leverage behavioral threat protection and anti-exploitation modules to detect and neutralize threats before they can execute.
As threat actors continue to innovate, collaboration among cybersecurity researchers and vendors remains critical to counteract these advanced techniques effectively.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
 encryption by threat actors.){kind=link}