Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.
Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available,  but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.
|APT29||APT29 used UPX to pack files. |
|APT3||APT3 has been known to pack their tools. |
|APT32||APT32 uses UPX to pack their macOS backdoor. |
|APT38||APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants. |
|APT39||APT39 has repacked a modified version of Mimikatz to thwart anti-virus detection. |
|Astaroth||Astaroth uses a software packer called Pe123\RPolyCryptor. |
|China Chopper||China Chopper's client component is packed with UPX. |
|Dark Caracal||Dark Caracal has used UPX to pack Bandook. |
|DarkComet||DarkComet has the option to compress its payload using UPX or MPRESS. |
|Daserf||A version of Daserf uses the MPRESS packer. |
|Elderwood||Elderwood has packed malware payloads before delivery to victims. |
|Emotet||Emotet has used custom packers to protect its payloads. |
|FinFisher||A FinFisher variant uses a custom packer.  |
|GreyEnergy||GreyEnergy is packed for obfuscation. |
|Group5||Group5 packed an executable by base64 encoding the PE file and breaking it up into numerous lines. |
|H1N1||H1N1 uses a custom packing algorithm. |
|jRAT||jRAT payloads have been packed. |
|Night Dragon||Night Dragon is known to use software packing in its tools. |
|OopsIE||OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2. |
|Patchwork||A Patchwork payload was packed with UPX. |
|SeaDuke||SeaDuke has been packed with the UPX packer. |
|Soft Cell||Soft Cell packed some payloads using different types of packers, both known and custom. |
|The White Company||The White Company has obfuscated their payloads through packing. |
|TrickBot||TrickBot leverages a custom packer to obfuscate its functionality. |
|Trojan.Karagany||Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer. |
|Uroburos||Uroburos uses a custom packer. |
|VERMIN||VERMIN is initially packed. |
|yty||yty packs a plugin with UPX. |
|Zebrocy||Zebrocy's Delphi variant was packed with UPX.  |
|ZeroT||Some ZeroT DLL files have been packed with UPX. |
|Antivirus/Antimalware||Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.|
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.
- Executable compression. (n.d.). Retrieved December 4, 2014.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.