![]() ![]() This payload is reflectively loaded to where the initial PE image was, and control passes to its entry point.Ī specific algorithm for decoding packed data is of special interest to us. The decoded data represents an executable file-the PE payload.The memory region with the PE image is filled with null bytes.The packed data is copied to the buffer.By calling VirtualProtect, RWX rights are assigned to the entire memory region with the PE file image.Another buffer is allocated for packed data.Calls to functions and variables taking into account the correction in the ebx register ![]() As a result, wherever necessary, a correction is added to the PE image addresses that allows obtaining the corresponding address in the buffer. All references to virtual addresses in code are indexed by the content of this register. This difference is written to the ebx register. The difference is calculated between the location of data in the buffer and in the PE file image (difference between the addresses in the buffer and virtual addresses in the image).Control passes to the function inside the buffer.The content of the current process image in the memory is copied to the allocated buffer (in particular, section.A predetermined amount of memory is allocated with read, write, and execute rights using VirtualAlloc.The overall algorithm for extracting the payload is as follows: We couldn't associate this packer with any of the publicly described ones, so we named it according to three specifics of its working: recursion, bit reverse, and reflective loading of PE files ( reflection), hence the name Rex 3Packer. Rare uses of the packer for distributing old versions of the RTM trojan were also observed in late January 2021.įigure 5. The group started actively using the packer in April–May 2020. The first use of this packer by the RTM group that we detected dates back to November 2019. Later in this article, we will discuss specific examples of crypters used by the RTM group. Advertisement of file packing as a service In this model, packing of malicious files is delegated to a special service managed by a third party.Īccess to such services can often be found on sale on hacker forums.įigure 4. Taking into account the fact that packing process is automated, such overlapping with other malware allows us to assume that attackers use the packer-as-a-service model. When analyzing samples packed in a new way, we detected numerous other malware protected by similar method. In 2020, however, the group changed it twice. Initially, the group behind RTM used its own unique crypter. Such feature is a natural consequence of using crypters. RTM phishing email, December 2020Įach attachment contained files that significantly differed from each other, but the final payload remained almost the same. Apparently, the attacks were automated.įigure 1. In this article, we will use the example of the RTM banking trojan to discuss which packers attackers can use, how they complicate detection of the malware, and what other malware they can pack.Ī hacker group responsible for RTM distribution regularly sent mass phishing emails with malicious attachments until the end of 2020. Such techniques can often be handled by separate tools called crypters or sometimes simply packers. To prevent it from happening, hackers use code packing, encryption, and mutation techniques. The mass use of the same tool inevitably leads to its getting on the radar of antivirus companies, which, as a result, reduces its efficiency. Depending on the level of qualification and the specifics of operation, hackers can use both publicly available tools (such as the Cobalt Strike framework) and their own developments.Ĭreating a unique set of tools for each attack requires huge resources therefore, hackers tend to reuse malware in different operations and also share it with other groups. ![]() Malware is one of the main tools of any hacking group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |