
Threat actors are increasingly abusing legitimate and commercially available packet software such as Boxed app Avoiding detection and distributing malware such as remote access trojans and information stealers.
“The majority of attributed malicious patterns targeted financial institutions and government industries,” Checkpoint Security researcher Jerry Vinopal said. said In an analysis.
In the volume of samples BoxedApp submitted to the Google-owned VirusTotal malware scanning platform around May 2023, the Israeli cybersecurity firm added that the sample submissions are mainly from Turkey, the US, Germany, France and Russia. .
Malware families distributed this way include Agent Tesla, Asyncrate, Lockbit, Ludart, NanoCore, Nashta, NjRAT, Quasar RAT, Ramnit, RedLine, Remcos, RevengeRAT, XWorm, and ZXShell.
There are packers. Self-extracting archives which are often used to bundle software and make them smaller. But over the years, there have been tools like this repurposed Adding another layer of ambiguity to their payloads in an attempt to resist analysis by threat actors.
The rise in abuse of BoxedApp products such as BoxedApp Packer and BxILMerge is attributed to a range of advantages that make it an attractive option for attackers looking to deploy malware without being detected by endpoint security software.
BoxedApp Packer can be used to package both native and .NET PEs, while BxILMerge – such as ILMerge – is exclusively for packaging .NET applications.
That said, applications loaded with BoxedApp, including non-malicious applications, are known to suffer from high false positive (FP) detection rates when scanned by anti-malware engines.
“Packaging vulnerability-based payloads allows attackers to reduce the detection of known vulnerabilities, tighten their analysis, and build advanced capabilities of the BoxedApp SDK (eg, virtual storage) from scratch,” Vinopal said. Helped to use without need,” said Vinopal.
“The BoxedApp SDK itself opens up a space to create a custom, unique package that takes advantage of the most advanced features and is diverse enough to avoid static detection.”
Malware families such as AgentTesla, FarmBook, LokiBot, Remcos, XLoader have also been propagated using an illegal packer codenamed NSIXloader which is a Nullsoft Scriptable Install System (NSIS). The fact that it is used to deliver different sets of payloads means that it is commodified and monetized on the dark web.
“The advantage for cybercriminals in using NSIS is that it allows them to create patterns that, at first glance, are indistinguishable from legitimate installers,” security researcher Alexey Bakhtayev said.
“Since NSIS performs compression on its own, malware developers do not need to implement compression and decompression algorithms. NSIS’s scripting capabilities allow some malicious functionality to be moved within the script, allowing analysis. It gets more complicated.”
The development came after the QiAnXin XLab team revealed details of another package codenamed Kiteshield that has been used by several threat actors, including Winnti and DarkMosquito, to target Linux systems.
“KiteShield is a packer/protector for x86-64 ELF binaries on Linux,” XLab researchers said. “KiteShield wraps ELF binaries with multiple layers of encryption and injects them with loader code that decrypts, maps, and executes the packaged binary entirely in userspace.”