EDR Evasion, Themida
Binary Packers, Signatures, Oh My
Sometimes you see old friends in the weirdest places.
Bit of history here. Back in 2000, 2001 I had my first run in with UPX, the Universal Packer for Executables for DOS, Windows 3.x, and Windows 9x. It was popular on websites like PE (Portable executable) tools.com, exetools, and other old executable having sites. At the time I worked for Symantec, and while one of our libraries, Decomposer, could handle quite a few types, it wasn’t that great with packed or intentionally obfuscated exe’s. UPX became highly problematic, and one of my friends worked in the QA at our Symantec office in Oregon doing QA for features surround packers, particularly UPX. While it was usually used in conjunction with other tools to crack video games and high them from the ancient types of DRM at the time, it had started to be used rampantly by what we called, VX’ers. Or simply Virus Developers. VX Forums was a notorious a notorious spot, but even though the web was in the process of exploding, a lot of the really shady material was still hosted on BBS’s that you had to call into and get access to their libraries. A close friend of mine ran one—no I will not tell you the name, though I believe the statute of limitations has run out for him—and that was the first place I ever got my hands on materials like The anarchists cookbook. Heh, I do not have a copy, but I would kills for original print copies of 2600. But I digress.
When I started the research lab at Sana Security, there were several crypters, packers, and obfuscators that were beyond challenging. Kaspersky was usually on the bleeding edge for detection, but there were known binary fingerprints of the packers themselves. So using tools like Filealyzer and some community maintained databases, it was generally straight forward to detect what packer a piece of malware that we needed to study was using. Unpacking was always the first step, and you either used a static unpacker or let it unpack itself dynamically on ‘sacrificial’ operating systems then dump memory. This was around the time rootkits were getting ‘popular’, with rootkit.com and Joanna Rutkowska developing tools like Blue Pill. The saga behind rootkit.com is better left for another day.
Themida though was a different beast. I knew of a few reversers who could sorta take it apart, I wasn’t one of them. It fought back. The packer used a number of novel techniques which, while understood today, still make it an absolute slog if it is tied to 1) signed software, and 2) signed with a legit key. And 16 years after my last battle with Themida, to which I had a pyrric laugh (I instructed our kernel driver to trash every component of anything packed with that packer it is so much as opened a port or mutex), it comes back around.
In Blackcat.
Ransomware gangs known to use Poortry include Cuba, BlackCat, Medusa, LockBit and RansomHub, Sophos says.
The Sophos report stressed that since Microsoft closed a loophole that allowed the Poortry creators to use custom kernel-level drivers signed through Microsoft’s attestation signing process, the developers have added new features and functions to evade detection.
These include using Signature Timestamp Forging or obtaining a valid leaked non-Microsoft digital certificate, the report said. In the past 17 months, threat actors swapped the signing certificate they used for their executables at least nine times.
And previously on JaphOnTech, https://www.japhontech.com/blog/blackcat
Well, no good deed goes unpunished, and when I thought the bane of my existence we finally out of my hair, here it is. So, Sophos, have at them. And make sure your younger analysts don’t pull all nighters with this one, it has a way of adding a lot of grey hairs.
