Cybersecurity researchers from Check Point have uncovered an increasing trend of hackers exploiting commercial packing tools like BoxedApp to conceal and distribute various malware strains. Over the past year, a significant surge in the abuse of BoxedApp products has been observed, particularly in attacks targeting financial institutions and government organisations.

BoxedApp offers a range of commercial packers – including BoxedApp Packer and BxILMerge – which provide advanced features like Virtual Storage (Virtual File System, Virtual Registry), Virtual Processes, and a universal instrumentation system (WIN/NT API hooking). While these tools are designed for legitimate purposes, threat actors have been leveraging them to pack malicious payloads, evade detection, and harden analysis efforts.

According to the researchers’ investigation, the main abused BoxedApp products are BoxedApp Packer and BxILMerge, both built on top of the BoxedApp SDK. These products grant threat actors access to the SDK’s most advanced features, enabling them to create custom, unique packers that leverage cutting-edge capabilities while remaining diverse enough to avoid static detection.

The benefits of using advanced, unique features offered by BoxedApp SDK outweigh the disadvantages of employing a known commercial packer. Among the most notable features and capabilities are Virtual File System, Virtual Registry, Virtual Processes (PE Injection), WIN/NT API hooking SDK, general packing (destroying original PE Imports, compression, etc.), producing single-file bundles, and ensuring all I/O to Virtual Storage remains in memory without dropping files to disk.

Although BoxedApp products have been available for several years, their abuse for malicious purposes has significantly increased in the past year, with no public acknowledgment of their connection to BoxedApp until now. While using commercial packers has both pros and cons for attackers, the advanced capabilities they provide seem to outweigh the potential drawbacks.

Pros of using BoxedApp products for malware distribution include:

  • Reliable, ready-to-use products with advanced capabilities
  • Available BoxedApp SDK for creating custom, diverse packers
  • Proprietary Virtual Storage system (Virtual File System, Virtual Registry)
  • Creation of Virtual Processes for PE injection
  • Simple SDK for hooking WIN/NT APIs
  • General packing (destroys original PE Imports, performs compression, etc.)
  • Production of single-file bundles with all dependencies in Virtual Storage
  • All I/O to Virtual Storage stays in memory, preventing file drops on disk
  • Difficulty in distinguishing between regular and malicious packed applications (high false positive rate)

Cons include:

  • Easy static detection of the original BoxedApp products used for packing
  • Generic static detection of certain SDK features commonly abused for malicious purposes (e.g., WIN/NT API hooking, Virtual Process – PE injection)
  • High false positive detection rate for non-malicious applications packed by BoxedApp

Despite the high false positive rate, which could result in discrepancies and trigger detections even for non-malicious applications, the built-in Windows Defender and other top-tier antivirus solutions are typically unaffected.

The researchers analysed approximately 1,200 BoxedApp-packed samples submitted to VirusTotal in the last three years and successfully processed by VT sandboxes. Alarmingly, 25% of these samples were detected as malicious based on their behaviour. The VirusTotal submission timeline of these malicious samples shows an increasing trend of BoxedApp abuse for malware deployment.

Among the most commonly deployed malware families were RATs (Remote Access Trojans) such as QuasarRAT, NanoCore, NjRAT, Neshta, AsyncRAT, and LodaRAT, as well as stealers like RevengeRAT, AgentTesla, RedLine, and Remcos. Additionally, instances of ransomware like LockBit were also detected.

The researchers conducted an in-depth analysis of the BoxedApp internals, focusing on the resulting binary structures packed by different products. This analysis provided insights into unpacking the Virtual Storage and reconstructing the main malicious binaries. Yara signatures were also provided to aid in statically detecting the packer in use while distinguishing the specific product employed.

(Photo by Arthur Edelmans)

See also: Sonatype exposes malicious PyPI package ‘pytoileur’

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , ,



Source link