Engage Report: HeartCrypt Packer-as-a-Service

The HeartCrypt packer utilizes several obfuscation techniques, including:

  • Packing malware into legitimate binaries
     
  • Employing position-independent code (PIC)
     
  • Implementing control flow obfuscation through stack strings, dynamic API resolution, jump instructions, and junk bytes
     
  • Utilizing multiple layers of encoding and byte substitution
     
  • Hiding shellcode in resources disguised as bitmap images

Subject: Engage Report: HeartCrypt Packer-as-a-Service

Tactics: TA0005 Defense Evasion

Technique: T1027.002 Obfuscated Files or Information: Software Packing

Procedure:

The HeartCrypt packer utilizes several obfuscation techniques, including:

  • Packing malware into legitimate binaries
     
  • Employing position-independent code (PIC)
     
  • Implementing control flow obfuscation through stack strings, dynamic API resolution, jump instructions, and junk bytes
     
  • Utilizing multiple layers of encoding and byte substitution
     
  • Hiding shellcode in resources disguised as bitmap images

Vulnerability: EAV0006 When adversaries collect targeting information from open or closed data sources, they are vulnerable to being influenced by manipulated or misleading data.

Engagement Opportunity:

Develop and deploy detection rules that specifically target the unique characteristics of HeartCrypt, such as the repeating hexadecimal patterns used for padding in resources or the byte sequences used to mark the start of PIC code.

Threat Actor: Cybercriminals using various malware families, including LummaStealer, Remcos, and Rhadamanthys

Threat Objective:

The objective varies depending on the specific malware payload, but generally includes information theft, credential stealing, and remote access.

Deception Opportunity:

Create a honeypot environment with intentionally vulnerable software and deploy decoy files that mimic those commonly targeted by HeartCrypt customers. Monitor the honeypot for any attempts to deploy packed malware and gather intelligence on the attacker’s TTPs.

Sensor Data Placement: Application

Observable Level: Core to Some Implementations of (Sub-)Technique

Scoring Rationale:

The scoring reflects the attacker’s use of custom tools and techniques, while also relying on common obfuscation methods.

  • Sensor Data Placement:
    • Application: Not applicable
    • User-Mode: File analysis, registry monitoring
       
    • Kernel-Mode: Not applicable
       
  • Observable Level:
    • Ephemeral Values: Not applicable
    • Core to Adversary-Brought Tool:
      • The specific XOR keys used to encrypt the payload
         
      • The HeartCrypt packer itself
         
    • Core to Pre-Existing Tool: Not applicable
    • Core to Some Implementations of (Sub-)Technique:
      • The use of bitmap images to disguise shellcode
         
      • The use of process hollowing for injection
         
    • Core to Sub-Technique or Technique: The presence of packed malware

Link to Report:

Link to Report II.:

Additional Comments:

The HeartCrypt PaaS demonstrates the increasing accessibility of sophisticated malware development tools. Organizations should prioritize the development of robust detection and analysis capabilities to counter these evolving threats.

Possible elements:

MSG (Pseudocode): 

# Malicious Sub-Graph Standard

# Node Format:
# [Node ID]: [Tactic] - [Technique] - [Procedure] ([Observable Level])

# Edge Format:
# [Source Node ID] --> [Destination Node ID] ([Exploited Vulnerability])

# HeartCrypt Attack Graph

[1]: Defense Evasion (TA0005) - Obfuscated Files or Information (T1027) - Software Packing (T1027.002) - Pack malware into a legitimate binary using HeartCrypt (Core to Adversary-Brought Tool)
[2]: Defense Evasion (TA0005) - Obfuscated Files or Information (T1027) - Software Packing (T1027.002) - Employ position-independent code (PIC) and control flow obfuscation (Core to Some Implementations of (Sub-)Technique)
[3]: Defense Evasion (TA0005) - Obfuscated Files or Information (T1027) - Software Packing (T1027.002) - Utilize multiple layers of encoding and byte substitution (Core to Some Implementations of (Sub-)Technique)
[4]: Defense Evasion (TA0005) - Obfuscated Files or Information (T1027) - Software Packing (T1027.002) - Hide shellcode in resources disguised as bitmap images (Core to Some Implementations of (Sub-)Technique)

1 --> 2 (Lack of Tool-Based Anomaly Detection (EAV0006))
2 --> 3 (Lack of Tool-Based Anomaly Detection (EAV0006))
3 --> 4 (Lack of Tool-Based Anomaly Detection (EAV0006))

# Pseudocode Standard

# Function Format:
# function [Tactic]_[Technique]([Input]):
# [Procedure]
# return [Output]

# HeartCrypt Pseudocode

function Defense_Evasion_Obfuscated_Files_or_Information(malware_binary):
# Pack malware_binary into a legitimate binary using HeartCrypt
return packed_binary

function Defense_Evasion_Obfuscated_Files_or_Information_PIC(packed_binary):
# Employ position-independent code (PIC) and control flow obfuscation
return obfuscated_binary

function Defense_Evasion_Obfuscated_Files_or_Information_Encoding(obfuscated_binary):
# Utilize multiple layers of encoding and byte substitution
return encoded_binary

function Defense_Evasion_Obfuscated_Files_or_Information_Resources(encoded_binary):
# Hide shellcode in resources disguised as bitmap images
return final_packed_binary

Leave a Reply