-
Notifications
You must be signed in to change notification settings - Fork 16
/
Copy path2025-01-06-changes-to-HeartCrypt-packed-malware.txt
38 lines (26 loc) · 1.97 KB
/
2025-01-06-changes-to-HeartCrypt-packed-malware.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
2025-01-06: CHANGES TO HEARTCRYPT-PACKED MALWARE
AUTHOR:
- Jerome Tujague
REFERENCES:
- https://www.linkedin.com/posts/unit42_heartcrypt-timelythreatintel-unit42threatintel-activity-7282417712578940929-2Bpg/
- https://x.com/Unit42_Intel/status/1876652056460546246
NOTES:
- HeartCrypt is a packer-as-a-service (PaaS) for Windows-based malware that first appeared in February 2024.
- This packer hides malware inside copies of legitimate packed executable (PE) files to evade detection.
- We recently published an article about HeartCrypt in December 2024 at:
-- https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
- Since that article, we've noticed some changes to how these files are now packed.
- Recent HeartCrypt-packed samples have moved the position-independent code (PIC) used to generate the malware payload:
-- The PIC has been removed from the PE file's resource data
-- The payload is now stored as XOR-encrypted blocks of data in two different files that pretend to be bitmap (BMP) images.
-- These two files have a fake BMP header followed by junk data, followed by an XOR key, followed by the XOR-encrypted data.
-- Decrypted code from these two XOR-encrypted blocks of data are combined into the final payload.
- We've updated our extraction process to extract the malware payload from these HeartCrypt-packed samples.
- Some examples follow.
SHA256 HASHES FROM NEWER HEARTCRYPT-PACKED SAMPLES AND THEIR EXTRACTED MALWARE:
- HeartCrypt-packed sample: 1b7411d5d2854c40f66cc933f80f147167e39778f54115b842fc32b4a5d3d483
- Extracted malware: 374147d9a1183af2f4bb249ef4cd55fe3cb584d932bc80102d933809826a6a0f
- HeartCrypt-packed sample: 87c1cb9d609659ce466d16354973ce4dbb8bea8652dbe104a196e42b3a739786
- Extracted malware: fa5ca2d7c232c7abef7c18d67a2303ac22e1d5f3320c7b6d4a95b56342b38c3b
- HeartCrypt-packed sample: 2baf9b0ff18b826f394498385d0ac66b241cd55c9e35822f50c97ec33ed8df8e
- Extracted malware: 46911b593034e23c7d56b2ebf9a4bb94ef2e2ded7c7b66e20c1d9fd9b1687ad4