Threat actors are increasingly abusing legitimate and commercially available packer software such as BoxedApp to evade detection and distribute malware such as remote access trojans and information stealers.
“The majority of the attributed malicious samples targeted financial institutions and government industries,” Check Point security researcher Jiri Vinopal said in an analysis.
The volume of samples packed with BoxedApp and submitted to the Google-owned VirusTotal malware scanning platform witnessed a spike around May 2023, the Israeli cybersecurity firm added, with the artifact submissions mainly originating from Turkey, the U.S., Germany, France, and Russia.
Among the malware families distributed in this manner are Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell.
Packers are self-extracting archives that are often used to bundle software and make them smaller. But over the years, such tools have been repurposed by threat actors to add another layer of obfuscation to their payloads in an attempt to resist analysis.
The spike in abuse of BoxedApp products like BoxedApp Packer and BxILMerge has been attributed to a range of benefits that make it an attractive option for attackers looking to deploy malware without being detected by endpoint security software.
BoxedApp Packer can be used to pack both native and .NET PEs, whereas BxILMerge – similar to ILMerge – is exclusively meant for packing .NET applications.
That said, BoxedApp-packed applications, including non-malicious ones, are known to suffer from a high false positive (FP) rate of detection when scanned by anti-malware engines.
“Packing the malicious payloads enabled the attackers to lower the detection of known threats, harden their analysis, and use the advanced capabilities of BoxedApp SDK (e.g., Virtual Storage) without needing to develop them from scratch,” Vinopal said.
“The BoxedApp SDK itself opens a space to create a custom, unique packer that leverages the most advanced features and is diverse enough to avoid static detection.”
Malware families like Agent Tesla, FormBook, LokiBot, Remcos, XLoader have also been propagated using an illicit packer codenamed NSIXloader that utilizes the Nullsoft Scriptable Install System (NSIS). The fact that it’s used to deliver a varied set of payloads implies it’s commodified and monetized on the dark web.
“The advantage for cybercriminals in using NSIS is that it allows them to create samples that, at first glance, are indistinguishable from legitimate installers,” security researcher Alexey Bukhteyev said.
“As NSIS performs compression on its own, malware developers do not need to implement compression and decompression algorithms. The scripting capabilities of NSIS allow for the transfer of some malicious functionality inside the script, making the analysis more complex.”
The development comes as the QiAnXin XLab team revealed details of another packer codenamed Kiteshield that has been put to use by multiple threat actors, including Winnti and DarkMosquito, to target Linux systems.
“Kiteshield is a packer/protector for x86-64 ELF binaries on Linux,” XLab researchers said. “Kiteshield wraps ELF binaries with multiple layers of encryption and injects them with loader code that decrypts, maps, and executes the packed binary entirely in userspace.”