A new packer-as-a-service (PaaS) named HeartCrypt has emerged as a formidable asset for malware operators seeking to elude antivirus detection. Developed in July 2023 and officially launched in February 2024, HeartCrypt has swiftly made its mark in the cybercrime underground, facilitating the packing of over 2,000 malicious payloads across 45 distinct malware families.
HeartCrypt’s innovative approach to malware obfuscation involves injecting harmful code into legitimate executable files. This method significantly complicates the detection process for antivirus software, as the malware masquerades as a genuine application upon initial inspection.
Promoted on underground forums and Telegram channels, HeartCrypt charges a modest fee of per file for packing both Windows x86 and .NET payloads. Its clientele predominantly comprises operators utilizing well-known malware families such as LummaStealer, Remcos, and Rhadamanthys.
HeartCrypt Injecting Malicious Code
The packing procedure employed by HeartCrypt is particularly sophisticated, as it involves the injection of malicious code into legitimate binaries. This technique not only camouflages the malware but also allows for customization tailored to specific targets, as highlighted in a report by Palo Alto.
This customization is evident in the use of over 300 distinct legitimate binaries that serve as carriers for the malicious payload. The operational mechanics of HeartCrypt can be summarized as follows:
- Payload Execution: The final payload, encrypted using a single-byte XOR operation, is decrypted and executed through either process hollowing or by utilizing .NET framework capabilities.
- Stub Creation: HeartCrypt integrates a block of position-independent code (PIC) into the binary’s .text section, allowing execution regardless of its memory location.
- Control Flow Hijacking: The original binary’s control flow is modified, typically by altering the entry point to redirect execution to the malicious PIC.
- Resource Addition: Various resources are appended to the binary, each serving a specific function in executing the malware. These resources are disguised as BMP files but harbor encoded malicious code.
- Obfuscation Techniques: HeartCrypt employs multiple layers of encoding, including stack strings, dynamic API resolution, and superfluous arithmetic operations that complicate analysis.
Anti-Analysis Techniques
HeartCrypt also integrates a range of anti-sandbox and anti-emulation techniques designed to thwart detection:
- Attempts to load non-existent DLLs to identify sandbox environments.
- Conducts complex calculations to detect loop emulation.
- Utilizes virtual DLLs to evade Windows Defender’s emulator.
The final payload is encrypted with a single-byte XOR operation utilizing a rotating key. HeartCrypt discerns whether the payload is a .NET assembly or a native executable, applying suitable injection techniques, primarily process hollowing, for malware execution.
The advent of HeartCrypt as a PaaS lowers the entry barriers for malware operators, potentially leading to an uptick in both the volume and success rates of malware infections. This trend accentuates the pressing need for more advanced threat detection methodologies and proactive threat hunting strategies.
Security researchers have successfully extracted and analyzed payloads from HeartCrypt samples, yielding valuable insights into its operations and the malware campaigns associated with it. Nevertheless, the continuous evolution of such packing services presents ongoing challenges for the cybersecurity community in their quest to detect and mitigate increasingly sophisticated malware threats.
As HeartCrypt continues to gain traction among cybercriminals, it becomes imperative for organizations and individuals alike to remain vigilant and ensure that their security measures are current, thereby fortifying their defenses against these emerging threats.
