Register to stream ATT&CKcon 2.0 October 29-30

Software Packing

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, [1] but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

ID: T1045
Tactic: Defense Evasion
Platform: Windows
Data Sources: Binary file metadata
Defense Bypassed: Signature-based detection, Anti-virus, Heuristic detection
CAPEC ID: CAPEC-570
Version: 1.0

Procedure Examples

Name Description
APT29 APT29 used UPX to pack files. [23]
APT3 APT3 has been known to pack their tools. [25]
APT32 APT32 uses UPX to pack their macOS backdoor. [30]
APT38 APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants. [26]
APT39 APT39 has repacked a modified version of Mimikatz to thwart anti-virus detection. [31]
Astaroth Astaroth uses a software packer called Pe123\RPolyCryptor. [17]
China Chopper China Chopper's client component is packed with UPX. [20]
Dark Caracal Dark Caracal has used UPX to pack Bandook. [27]
DarkComet DarkComet has the option to compress its payload using UPX or MPRESS. [15]
Daserf A version of Daserf uses the MPRESS packer. [4]
Elderwood Elderwood has packed malware payloads before delivery to victims. [22]
Emotet Emotet has used custom packers to protect its payloads. [16]
FinFisher A FinFisher variant uses a custom packer. [13] [14]
GreyEnergy GreyEnergy is packed for obfuscation. [10]
Group5 Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines. [28]
H1N1 H1N1 uses a custom packing algorithm. [2]
jRAT jRAT payloads have been packed. [21]
Night Dragon Night Dragon is known to use software packing in its tools. [29]
OopsIE OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2. [6]
Patchwork A Patchwork payload was packed with UPX. [24]
SeaDuke SeaDuke has been packed with the UPX packer. [5]
Soft Cell Soft Cell packed some payloads using different types of packers, both known and custom. [33]
The White Company The White Company has obfuscated their payloads through packing. [32]
TrickBot TrickBot leverages a custom packer to obfuscate its functionality. [7]
Trojan.Karagany Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer. [9]
Uroburos Uroburos uses a custom packer. [12]
VERMIN VERMIN is initially packed. [3]
yty yty packs a plugin with UPX. [8]
Zebrocy Zebrocy's Delphi variant was packed with UPX. [18] [19]
ZeroT Some ZeroT DLL files have been packed with UPX. [11]

Mitigations

Mitigation Description
Antivirus/Antimalware Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

Detection

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

References

  1. Executable compression. (n.d.). Retrieved December 4, 2014.
  2. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  3. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  4. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  5. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  6. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  7. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  8. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  9. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  10. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  11. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  12. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  13. FinFisher. (n.d.). Retrieved December 20, 2017.
  14. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  15. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  16. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  17. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  1. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  2. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  3. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  4. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  5. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  6. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  7. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  8. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  9. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  10. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  11. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  12. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  13. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  14. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  15. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  16. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.