Cybersecurity experts have recently uncovered a troubling trend in the world of cyber attacks – hackers are increasingly using packers as a means to conceal their malicious code and evade detection by antivirus programs and other security measures.
Packer technology, which is commonly utilized to make software distribution more efficient, is being repurposed by threat actors to obfuscate their malware payloads. By encrypting and transforming the original malicious code into a new form, hackers are able to evade signature-based detection and make reverse engineering the packer itself a challenging task. Furthermore, packers can also be leveraged to bypass security measures through techniques like code injection and process hollowing.
In a recent investigation, cybersecurity analysts at CheckPoint have identified a surge in the abuse of commercial packers, with threat actors targeting industries such as finance and government. A notable product that has been exploited by hackers is BoxedApp Packer, which offers advanced features like virtual file systems, registries, processes, and API hooking.
The use of BoxedApp packers enables attackers to conceal their malware, circumvent detection mechanisms, and complicate the analysis process for researchers. By generating a single PE binary format that is packed with Destroyed Imports resolved at runtime, the packer creates a Virtual Storage environment consisting of Virtual File Systems and Virtual Registries. This setup allows hackers to emulate I/O operations within the in-memory Virtual Storage, avoiding interactions with the operating system and writing files to disk.
Additionally, the Virtual Storage files can be compressed to reduce their size, further obscuring their contents. Hackers can also inject the original executable file into a suspended operating system process, creating a virtualized environment that launches within a single executable. Tools like BoxedApp Packer and BxILMerge facilitate the packing of applications and their dependencies into a self-contained executable that operates within this virtualized environment.
When packing .NET applications with BoxedApp Packer, a native PE named DotNetAppStub wraps the original .NET PE into the .bxpck section along with the Virtual Storage. This allows for in-memory execution of the .NET PE within the virtual environment. BxILMerge, on the other hand, merges .NET assemblies, unmanaged dependencies, and other files into a single .NET assembly using BoxedApp’s virtual storage system.
While unpacking files from the Virtual Storage is possible, static unpacking tools may not always perform reliably. As a result, dynamically dumping the packed PE from memory and reassembling the resolved import address table at runtime may be a more effective approach in some cases.
The rise in the use of BoxedApp commercial packers, particularly BoxedApp Packer and BxILMerge, has been noted over the past year, with attackers leveraging these tools to distribute Remote Access Trojans (RATs) and stealers. This trend underscores the evolving tactics employed by threat actors to evade detection and infiltrate target systems.
In light of these developments, cybersecurity professionals are urged to remain vigilant and stay informed about the latest advancements in malware evasion techniques. By understanding how hackers utilize packers to conceal their malicious activities, organizations can enhance their security measures and protect against emerging cyber threats.