Thanks to all of our ATT&CKcon participants. All sessions are here, and individual presentations will be posted soon.

Software Packing

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [1] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

ID: T1045

Tactic: Defense Evasion

Platform:  Windows

Data Sources:  Binary file metadata

Defense Bypassed:  Signature-based detection, Anti-virus, Heuristic detection

CAPEC ID:  CAPEC-570

Version: 1.0

Examples

NameDescription
APT29

APT29 used UPX to pack files.[2]

APT3

APT3 has been known to pack their tools.[3]

Dark Caracal

Dark Caracal has used UPX to pack Bandook[4]

Daserf

A version of Daserf uses the MPRESS packer.[5]

Elderwood

Elderwood has packed malware payloads before delivery to victims.[6]

FinFisher

A FinFisher variant uses a custom packer.[7][8]

Group5

Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines.[9]

H1N1

H1N1 uses a custom packing algorithm.[10]

Night Dragon

Night Dragon is known to use software packing in its tools.[11]

OopsIE

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[12]

Patchwork

A Patchwork payload was packed with UPX.[13]

SeaDuke

SeaDuke has been packed with the UPX packer.[14]

TrickBot

TrickBot leverages a custom packer to obfuscate its functionality.[15]

Trojan.Karagany

Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[16]

Uroburos

Uroburos uses a custom packer.[17]

VERMIN

VERMIN is initially packed.[18]

yty

yty packs a plugin with UPX.[19]

ZeroT

Some ZeroT DLL files have been packed with UPX.[20]

Mitigation

Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting [21] tools like AppLocker [22] [23] or Software Restriction Policies [24] where appropriate. [25]

Detection

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

References

  1. Executable compression. (n.d.). Retrieved December 4, 2014.
  2. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  3. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  4. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  5. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  6. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  7. FinFisher. (n.d.). Retrieved December 20, 2017.
  8. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  9. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  10. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  11. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  12. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  13. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.