Beyond Detection: The Rise of Legitimate Software Abuse in Malware Attacks

Cybersecurity researchers have identified an increasing trend where threat actors are abusing legitimate and commercially available packer software, such as BoxedApp, to evade detection and distribute malware, including remote access trojans and information stealers.

Targeted Industries and Geographical Spread

According to Check Point security researcher Jiri Vinopal, the majority of malicious samples have targeted financial institutions and government sectors. The volume of BoxedApp-packed samples submitted to the VirusTotal malware scanning platform saw a significant spike around May 2023. These submissions primarily originated from Turkey, the U.S., Germany, France, and Russia.

Malware Families and Packer Software Usage

Among the malware families distributed using this method are Agent Tesla, AsyncRAT, LockBit, LodaRAT, NanoCore, Neshta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell. Packers, which are self-extracting archives typically used to bundle software, have been repurposed by cybercriminals to add an extra layer of obfuscation to their payloads, making them harder to analyze and detect.

BoxedApp: An Attractive Tool for Attackers

The abuse of BoxedApp products like BoxedApp Packer and BxILMerge has risen due to their ability to pack both native and .NET PEs, and for BxILMerge, .NET applications specifically. BoxedApp-packed applications, including legitimate ones, often suffer from a high false positive rate when scanned by anti-malware engines. This enables attackers to lower the detection rate of known threats, complicate analysis, and use advanced capabilities such as Virtual Storage provided by the BoxedApp SDK without developing these features from scratch.

Commodified Packers and Dark Web Distribution

Additionally, malware families such as Agent Tesla, FormBook, LokiBot, Remcos, and XLoader have been distributed using an illicit packer called NSIXloader, which uses the Nullsoft Scriptable Install System (NSIS). This packer allows cybercriminals to create malware samples that appear indistinguishable from legitimate installers at first glance. The compression and scripting capabilities of NSIS further complicate malware analysis, making it an appealing tool for malicious actors.

Emerging Packer Technologies

The QiAnXin XLab team has also revealed details of another packer, Kiteshield, used by threat actors like Winnti and DarkMosquito to target Linux systems. Kiteshield is a packer/protector for x86-64 ELF binaries on Linux, wrapping ELF binaries with multiple encryption layers and injecting them with loader code that decrypts, maps, and executes the packed binary entirely in userspace.

Mitigation and Best Practices

These developments underscore the importance of robust cybersecurity practices. Organizations should implement comprehensive security measures, such as stolen credentials detection, darknet monitoring services, and digital threat scoring, to detect and respond to threats effectively. Leveraging digital footprint analysis and brand protection strategies can further safeguard against these sophisticated cyber threats. Staying proactive with online risk evaluation and dark web surveillance is essential for identifying compromised data and potential vulnerabilities.

Conclusion

The exploitation of legitimate packer software by cybercriminals to spread malware highlights the evolving tactics used to bypass security measures. Organizations must prioritize cybersecurity, implement best practices, and stay vigilant to protect their digital assets from sophisticated threats. Foresiet encourages entities to enhance their digital footprint analysis and brand protection efforts to stay ahead of these emerging dangers.

About Foresiet!

Foresiet is the pioneering force in digital security solutions, offering the first integrated Digital Risk Protection SaaS platform. With 24x7x365 dark web monitoring and proactive threat intelligence, Foresiet safeguards against data breaches and intellectual property theft. Our robust suite includes brand protection, takedown services, and supply chain assessment, enhancing your organization's defense mechanisms. Attack surface management is a key component of our approach, ensuring comprehensive protection across all vulnerable points. Compliance is assured through adherence to ISO27001, NIST, GDPR, PCI, SOX, HIPAA, SAMA, CITC, and Third Party regulations. Additionally, our advanced antiphishing shield provides unparalleled protection against malicious emails. Trust Foresiet to empower your organization to navigate the digital landscape securely and confidently.