Unauthorized Access to Genuine Packer Software Used to Disseminate Malware Secretively
Threat actors are progressively misusing genuine and commercially accessible packer software such as BoxedApp to avoid detection and spread malware such as remote access trojans and data snoopers.
An analysis by Check Point security researcher Jiri Vinopal revealed that “The majority of the attributed malicious samples targeted financial institutions and government industries.”
According to the Israeli cybersecurity firm, there was a significant rise in the number of samples packed with BoxedApp submitted to the Google-owned VirusTotal malware scanning platform around May 2023, with the submissions primarily coming from Turkey, the U.S., Germany, France, and Russia.
Notable malware families distributed through this method include Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell.
Packers are self-extracting archives commonly utilized to bundle software and reduce their size. However, threat actors have twisted these tools over time to include an extra layer of obfuscation to their payloads in an effort to evade analysis.
The surge in the exploitation of BoxedApp products such as BoxedApp Packer and BxILMerge is linked to various advantages that make it an appealing choice for attackers seeking to deploy malware without triggering alarms from endpoint security systems.
BoxedApp Packer is capable of packing both native and .NET PEs, while BxILMerge, similar to ILMerge, is specifically designed for packing .NET applications.
However, applications packed with BoxedApp, both malicious and non-malicious, often trigger a high rate of false positives when scanned by anti-malware programs.
Discussing the situation, Vinopal noted, “By packing the malicious payloads, attackers managed to reduce the detection of known threats, fortify their analysis, and leverage advanced features of BoxedApp SDK (e.g., Virtual Storage) without having to create them from scratch.”
“The BoxedApp SDK itself offers opportunities to develop a custom, unique packer that exploits the most advanced features and is varied enough to evade static detection.”
Malicious groups like Agent Tesla, FormBook, LokiBot, Remcos, XLoader have also been propagated using an illicit packer called NSIXloader, utilizing the Nullsoft Scriptable Install System (NSIS). This indicates that NSIXloader is commercialized and traded on the dark web to deliver various payloads.
“NSIS allows cybercriminals to create samples that seem legitimate at first glance,” stated security researcher Alexey Bukhteyev, highlighting the advantages of using NSIS.
“Since NSIS handles compression by itself, malware developers don’t need to implement compression and decompression algorithms. NSIS’s scripting capabilities facilitate the inclusion of malicious functionalities within the script, increasing the analysis complexity.”
The QiAnXin XLab team disclosed details about another packer named Kiteshield utilized by multiple threat actors like Winnti and DarkMosquito to target Linux systems.
XLab researchers stated, “Kiteshield is a packer/protector for x86-64 ELF binaries on Linux. It wraps ELF binaries with multiple layers of encryption and inserts them with loader code that decrypts, maps, and executes the packed binary entirely in userspace.”
About Author
