Risk actors are more and more abusing professional and commercially out there packer software program similar to BoxedApp to evade detection and distribute malware similar to distant entry trojans and data stealers.
“The majority of the attributed malicious samples targeted financial institutions and government industries,” Test Level safety researcher Jiri Vinopal stated in an evaluation.
The amount of samples filled with BoxedApp and submitted to the Google-owned VirusTotal malware scanning platform witnessed a spike round Could 2023, the Israeli cybersecurity agency added, with the artifact submissions primarily originating from Turkey, the U.S., Germany, France, and Russia.
Among the many malware households distributed on this method are Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell.
Packers are self-extracting archives which are typically used to bundle software program and make them smaller. However over time, such instruments have been repurposed by menace actors so as to add one other layer of obfuscation to their payloads in an try to withstand evaluation.
The spike in abuse of BoxedApp merchandise like BoxedApp Packer and BxILMerge has been attributed to a variety of advantages that make it a lovely choice for attackers trying to deploy malware with out being detected by endpoint safety software program.
BoxedApp Packer can be utilized to pack each native and .NET PEs, whereas BxILMerge – just like ILMerge – is completely meant for packing .NET functions.
That stated, BoxedApp-packed functions, together with non-malicious ones, are recognized to endure from a excessive false constructive (FP) charge of detection when scanned by anti-malware engines.
“Packing the malicious payloads enabled the attackers to lower the detection of known threats, harden their analysis, and use the advanced capabilities of BoxedApp SDK (e.g., Virtual Storage) without needing to develop them from scratch,” Vinopal stated.
“The BoxedApp SDK itself opens a space to create a custom, unique packer that leverages the most advanced features and is diverse enough to avoid static detection.”
Malware households like Agent Tesla, FormBook, LokiBot, Remcos, XLoader have additionally been propagated utilizing a bootleg packer codenamed NSIXloader that makes use of the Nullsoft Scriptable Set up System (NSIS). The truth that it is used to ship a various set of payloads implies it is commodified and monetized on the darkish net.
“The advantage for cybercriminals in using NSIS is that it allows them to create samples that, at first glance, are indistinguishable from legitimate installers,” safety researcher Alexey Bukhteyev stated.
“As NSIS performs compression on its own, malware developers do not need to implement compression and decompression algorithms. The scripting capabilities of NSIS allow for the transfer of some malicious functionality inside the script, making the analysis more complex.”
The event comes because the QiAnXin XLab staff revealed particulars of one other packer codenamed Kiteshield that has been put to make use of by a number of menace actors, together with Winnti and DarkMosquito, to focus on Linux techniques.
“Kiteshield is a packer/protector for x86-64 ELF binaries on Linux,” XLab researchers stated. “Kiteshield wraps ELF binaries with multiple layers of encryption and injects them with loader code that decrypts, maps, and executes the packed binary entirely in userspace.”