Obfuscated Files or Information: Software Packing
Other sub-techniques of Obfuscated Files or Information (5)
ID | Name |
---|---|
T1027.001 | Binary Padding |
T1027.002 | Software Packing |
T1027.003 | Steganography |
T1027.004 | Compile After Delivery |
T1027.005 | Indicator Removal from Tools |
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [2] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
Procedure Examples
Name | Description |
---|---|
APT29 | |
APT3 | |
APT38 |
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[34] |
APT39 |
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[37][38] |
Astaroth |
Astaroth uses a software packer called Pe123\RPolyCryptor.[18] |
China Chopper |
China Chopper's client component is packed with UPX.[21] |
Dark Caracal |
Dark Caracal has used UPX to pack Bandook.[35] |
DarkComet |
DarkComet has the option to compress its payload using UPX or MPRESS.[16] |
Daserf | |
Dyre |
Dyre has been delivered with encrypted resources and must be unpacked for execution.[29] |
Elderwood |
Elderwood has packed malware payloads before delivery to victims.[30] |
Emotet | |
FinFisher | |
GreyEnergy |
GreyEnergy is packed for obfuscation.[11] |
H1N1 | |
HotCroissant |
HotCroissant has used the open source UPX executable packer.[25] |
jRAT | |
Lokibot |
Lokibot has used several packing methods for obfuscation.[27] |
Machete | |
Night Dragon |
Night Dragon is known to use software packing in its tools.[36] |
OopsIE |
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[7] |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.[23] |
Patchwork | |
Rocke |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[41][42][43] |
SDBot | |
SeaDuke | |
ShimRat |
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[26] |
Soft Cell |
Soft Cell packed some payloads using different types of packers, both known and custom.[40] |
TA505 | |
The White Company |
The White Company has obfuscated their payloads through packing.[39] |
TrickBot |
TrickBot leverages a custom packer to obfuscate its functionality.[8] |
Trojan.Karagany |
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[10] |
Uroburos | |
VERMIN | |
yty | |
Zebrocy | |
ZeroT |
Mitigations
Mitigation | Description |
---|---|
Antivirus/Antimalware |
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. |
Detection
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.
References
- Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
- Executable compression. (n.d.). Retrieved December 4, 2014.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.