Hackers are increasingly exploiting packers to spread malware
Cybersecurity researchers from Check Point have uncovered an increasing trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute various malware strains. Cybersecurity researchers from Check Point have found a trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute malware strains. Over the past year, there has been a significant surge in the abuse of these products, particularly in attacks targeting financial institutions and government organisations. The main products abused are Packer and BxILMerge, which provide advanced features like Virtual Storage, Virtual Registry, Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). While using commercial packers has both pros and cons for malware distribution, the advanced capabilities of these tools outweigh the disadvantages. Despite the high false positive rate, antivirus solutions are typically unaffected.
公開済み : 10ヶ月前 沿って Ryan Daws の Sports Tech
Ryan Daws is a senior editor at TechForge Media with over a decade of experience in crafting compelling narratives and making complex topics accessible. His articles and interviews with industry leaders have earned him recognition as a key influencer by organisations like Onalytica. Under his leadership, publications have been praised by analyst firms such as Forrester for their excellence and performance. Connect with him on X (@gadget_ry) or Mastodon (@[email protected])
Cybersecurity researchers from Check Point have uncovered an increasing trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute various malware strains. Over the past year, a significant surge in the abuse of BoxedApp products has been observed, particularly in attacks targeting financial institutions and government organisations.
BoxedApp offers a range of commercial packers – including BoxedApp Packer and BxILMerge – which provide advanced features like Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). While these tools are designed for legitimate purposes, threat actors have been leveraging them to pack malicious payloads, evade detection, and harden analysis efforts.
According to the researchers’ investigation, the main abused BoxedApp products are BoxedApp Packer and BxILMerge, both built on top of the BoxedApp SDK. These products grant threat actors access to the SDK’s most advanced features, enabling them to create custom, unique packers that leverage cutting-edge capabilities while remaining diverse enough to avoid static detection.
The benefits of using advanced, unique features offered by BoxedApp SDK outweigh the disadvantages of employing a known commercial packer. Among the most notable features and capabilities are Virtual File System, Virtual Registry, Virtual Processes (PE Injection), WIN/NT API hooking SDK, general packing (destroying original PE Imports, compression, etc.), producing single-file bundles, and ensuring all I/O to Virtual Storage remains in memory without dropping files to disk.
Although BoxedApp products have been available for several years, their abuse for malicious purposes has significantly increased in the past year, with no public acknowledgment of their connection to BoxedApp until now. While using commercial packers has both pros and cons for attackers, the advanced capabilities they provide seem to outweigh the potential drawbacks.
Pros of using BoxedApp products for malware distribution include:
• Production of single-file bundles with all dependencies in Virtual Storage
• All I/O to Virtual Storage stays in memory, preventing file drops on disk
• Difficulty in distinguishing between regular and malicious packed applications (high false positive rate)
• Easy static detection of the original BoxedApp products used for packing
• Generic static detection of certain SDK features commonly abused for malicious purposes (e.g., WIN/NT API hooking, Virtual Process – PE injection)
Despite the high false positive rate, which could result in discrepancies and trigger detections even for non-malicious applications, the built-in Windows Defender and other top-tier antivirus solutions are typically unaffected.
The researchers analysed approximately 1,200 BoxedApp-packed samples submitted to VirusTotal in the last three years and successfully processed by VT sandboxes. Alarmingly, 25% of these samples were detected as malicious based on their behaviour. The VirusTotal submission timeline of these malicious samples shows an increasing trend of BoxedApp abuse for malware deployment.
Among the most commonly deployed malware families were RATs (Remote Access Trojans) such as QuasarRAT, NanoCore, NjRAT, Neshta, AsyncRAT, and LodaRAT, as well as stealers like RevengeRAT, AgentTesla, RedLine, and Remcos. Additionally, instances of ransomware like LockBit were also detected.
The researchers conducted an in-depth analysis of the BoxedApp internals, focusing on the resulting binary structures packed by different products. This analysis provided insights into unpacking the Virtual Storage and reconstructing the main malicious binaries. Yara signatures were also provided to aid in statically detecting the packer in use while distinguishing the specific product employed.
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
トピック: Football, NFL, Green Bay Packers, Security, Security Breach, Malware, Cyber Crime