Hackers are employing packers as a tool to obfuscate and conceal malware, presenting a significant challenge for cybersecurity defenses. This tactic is particularly concerning as most antivirus programs are designed to recognize these packers, making the malicious code difficult to detect. By encrypting the original malware payload and utilizing techniques like code injection and process hollowing, hackers effectively evade signature-based detection and hinder reverse engineering efforts.
CheckPoint analysts have observed a notable increase in the malicious use of packers, with threat actors targeting critical sectors such as finance and government. Commercial packers like BoxedApp Packer and BxILMerge offer advanced functionalities, including virtual file systems and registries, complicating malware analysis and detection. These features enable attackers to hide their malicious payloads, bypass detection mechanisms, and make the analysis process more challenging for cybersecurity researchers.
BoxedApp’s virtual storage system, utilized by BxILMerge, allows for the merging of .NET assemblies and unmanaged dependencies into a single .NET assembly. This custom resolver manages input and output operations of virtual files without writing anything to the hard disk, further complicating detection efforts. Despite the potential for statically unpacking files from the virtual storage, existing tools may not always perform reliably, necessitating dynamic dumping of packed PE from memory and reassembling the import address table resolved at runtime.
The prevalence of malicious packers, particularly BoxedApp Packer and BxILMerge, underscores the evolving tactics of threat actors seeking to distribute remote access Trojans (RATs) and stealers. As cybersecurity threats continue to evolve, organizations must remain vigilant and implement robust security measures to protect against these sophisticated attacks. Collaboration between cybersecurity firms, government agencies, and end-users is crucial in mitigating the risks posed by the exploitation of packers for malware distribution.
