|T1027.004||Compile After Delivery|
|T1027.005||Indicator Removal from Tools|
|T1027.007||Dynamic API Resolution|
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
|C0025||2016 Ukraine Electric Power Attack||
During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.
Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.
Astaroth uses a software packer called Pe123\RPolyCryptor.
Bisonal has used the MPRESS packer and similar tools for obfuscation.
BLINDINGCAN has been packed with the UPX packer.
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.
China Chopper's client component is packed with UPX.
CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.
CSPY Downloader has been packed with UPX.
Dark Caracal has used UPX to pack Bandook.
DarkComet has the option to compress its payload using UPX or MPRESS.
Dyre has been delivered with encrypted resources and must be unpacked for execution.
Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.
Elderwood has packed malware payloads before delivery to victims.
Ember Bear has packed malware to help avoid detection.
FatDuke has been regularly repacked by its operators to create large binaries and evade detection.
GALLIUM packed some payloads using different types of packers, both known and custom.
GreyEnergy is packed for obfuscation.
HotCroissant has used the open source UPX executable packer.
LiteDuke has been packed with multiple layers of encryption.
Lokibot has used several packing methods for obfuscation.
During Night Dragon, threat actors used software packing in its tools.
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.
|C0022||Operation Dream Job||
During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.
|C0016||Operation Dust Storm||
For Operation Dust Storm, the threat actors used UPX to pack some payloads.
For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.
OSX_OCEANLOTUS.D has a variant that is packed with UPX.
Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.
Spark has been packed with Enigma Protector to obfuscate its contents.
Squirrelwaffle has been packed with a custom packer to hide payloads.
TeamTNT has used UPX and Ezuri packer to pack its binaries.
|G0089||The White Company||
The White Company has obfuscated their payloads through packing.
Threat Group-3390 has packed malware and tools, including using VMProtect.
TrickBot leverages a custom packer to obfuscate its functionality.
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.
ZIRCONIUM has used multi-stage packers for exploit code.
Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.
|ID||Data Source||Data Component||Detects|
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.