Clever Geek Handbook

Research: what methods of bypassing antiviruses are used by hackers

Creation of unique malware requires a lot of resources, so many hacker groups use massive, often publicly available malware in their attacks. Widespread use inevitably leads to the fact that such a tool gets on the radar of antivirus companies, and its effectiveness decreases.





To solve this problem, hackers use packaging, encryption and code mutation techniques. Such techniques are often implemented by separate tools - "crypters" or simply "packers". In this article, using the RTM banking Trojan as an example, we will look at what β€œpackers” can be used by cybercriminals and how these β€œpackers” complicate malware detection.





The full version of this study is available here .





Packer-as-a-service

The hacker group behind the distribution of RTM regularly carried out mass phishing emails with malicious attachments until the end of 2020. This process, apparently, took place automatically.





Each of these attachments contained significantly different files, while the final payload remained virtually unchanged.





Sample RTM Archive
RTM

β€” «». , RTM, «», 2020 .





- , . , , packer-as-a-service. , . .





Rex3Packer

RTM, , 2019 . , , β€” 2020 .





RTM phishing email, January 2021
RTM, 2021

- , : (recursion), (reverse) PE- (reflection) β€” Rex3Packer.





:





  1. VirtualAlloc , .





  2. ( , .text).





  3. .





  4. PE- ( ). ebx. . , , PE- , .





  5. .





  6. VirtualProtect RWX PE-.





  7. .





  8. .





  9. PE .





  10. β€” PE-. PE-, .





. : , .





16 , 4 4 :





  • ,





  • (PE-),





  • (*), ,





  • (1, 2, 4).





:





  1. ( , 10011000 00011001).





  2. (1, 2, 4), N = 9, 5, 3 . β€” (N – 1) ( 8, 4, 2).





  3. N-1 : . , 00000001, 00010001 01010101 . . OR , .





, 4 . .





Scheme for obtaining the original bytes in mode 4
4

4.  PE-, (*) . , , . (*) .





, :





  • WinAPI. , , , .





                Examples of calling WinAPI functions
                WinAPI

  • β€” ( ), .





Function with recursive call (option without obfuscation)
( )

  • . , .





RTM, Rex3Packer , .

SHA256

Phobos Ransomware

6e9c9b72d1bdb993184c7aa05d961e706a57b3becf151ca4f883a80a07fdd955

Zeppelin Ransomware

8d44fdbedd0ec9ae59fad78bdb12d15d6903470eb1046b45c227193b233adda6

Racoon Stealer

3be91458baa365febafb6b33283b9e1d7e53291de9fec9d3050cd32d98b7a039

KPOT Stealer

9b6af2502547bbf9a64ccfb8889ee25566322da38e9e0ccb86b0e6131a67df1e

Predator The Thief

d1060835793f01d1e137ad92e4e38ef2596f20b26da3d12abcc8372158764a8f

QakBot

18cc92453936d1267e790c489c419802403bb9544275b4a18f3472d2fe6f5dea

Nemty, Pony, Amadey.  





HellowinPacker

2020 RTM β€” HellowinPacker, 2021 . . , .





Comparison of code in two copies of different structure

. . .





Comparison of code in two copies of the same structure

, Rex3Packer, HellowinPacker . , , . , , β€” .





, β€” HKEY_CLASSES_ROOT\Interface\{b196b287-bab4-101a-b69c-00aa00341d07} ( ) (Default). .





GUID .





, .





, (, ). VirtualAlloc RWX. X . Y .





HellowinPacker data copying scheme
HellowinPacker

4 :





  • (DWORD),





  • ,





  • xor , Z.





Rex3Packer, HellowinPacker WinAPI, . . , .





Entry point in one of the packaged libraries

WinAPI imphash.





: ( ). WinAPI, (, 0 ).





HellowinPacker 2014 . . :

SHA256

Cerber Ransomware

1e8b814a4bd850fc21690a66159a742bfcec212ccab3c3153a2c54c88c83ed9d

ZLoader

44ede6e1b9be1c013f13d82645f7a9cff7d92b267778f19b46aa5c1f7fa3c10b

Dridex

f5dfbb67b582a58e86db314cc99924502d52ccc306a646da25f5f2529b7bff16

Bunitu

54ff90a4b9d4f6bb2808476983c1a902d7d20fc0348a61c79ee2a9e123054cce

QakBot

c2482679c665dbec35164aba7554000817139035dc12efc9e936790ca49e7854

, . , («») . . : .





, , . : . . , , (, PT Sandbox) . , . , β€” , PT Network Attack Discovery.





:







More articles:


All Articles