Obfuscated Files or Information: Software Packing
Other sub-techniques of Obfuscated Files or Information (5)
ID | Name |
---|---|
T1027.001 | Binary Padding |
T1027.002 | Software Packing |
T1027.003 | Steganography |
T1027.004 | Compile After Delivery |
T1027.005 | Indicator Removal from Tools |
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [2] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Procedure Examples
Name | Description |
---|---|
Anchor | |
APT29 | |
APT3 | |
APT38 |
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[6] |
APT39 |
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[7][8] |
Astaroth |
Astaroth uses a software packer called Pe123\RPolyCryptor.[9] |
China Chopper |
China Chopper's client component is packed with UPX.[10] |
Dark Caracal |
Dark Caracal has used UPX to pack Bandook.[11] |
DarkComet |
DarkComet has the option to compress its payload using UPX or MPRESS.[12] |
Daserf | |
Dyre |
Dyre has been delivered with encrypted resources and must be unpacked for execution.[14] |
Elderwood |
Elderwood has packed malware payloads before delivery to victims.[15] |
Emotet | |
FatDuke |
FatDuke has been regularly repacked by its operators to create large binaries and evade detection.[17] |
FinFisher | |
GreyEnergy |
GreyEnergy is packed for obfuscation.[20] |
H1N1 | |
HotCroissant |
HotCroissant has used the open source UPX executable packer.[22] |
IcedID | |
jRAT | |
Lazarus Group |
Lazarus Group has used Themida to pack at least two separate backdoor implants.[25] |
Lokibot |
Lokibot has used several packing methods for obfuscation.[26] |
Machete | |
Metamorfo | |
Night Dragon |
Night Dragon is known to use software packing in its tools.[29] |
OopsIE |
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[30] |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[31] |
Patchwork | |
Raindrop |
Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.[33][34] |
Rocke |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[35][36][37] |
SDBot | |
SeaDuke | |
ShimRat |
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[40] |
Soft Cell |
Soft Cell packed some payloads using different types of packers, both known and custom.[41] |
TA505 | |
The White Company |
The White Company has obfuscated their payloads through packing.[42] |
TrickBot |
TrickBot leverages a custom packer to obfuscate its functionality.[43] |
Trojan.Karagany |
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[44][45] |
Uroburos | |
Valak | |
VERMIN | |
yty | |
Zebrocy | |
ZeroT |
Mitigations
Mitigation | Description |
---|---|
Antivirus/Antimalware |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
Detection
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.
References
- Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
- Executable compression. (n.d.). Retrieved December 4, 2014.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.