A new packer-as-a-service (PaaS) called HeartCrypt has emerged as a powerful tool for malware operators to evade antivirus detection.
Developed in July 2023 and launched in February 2024, HeartCrypt has quickly gained traction in the cybercrime underground, being used to pack over 2,000 malicious payloads across 45 different malware families.
HeartCrypt offers a unique approach to malware obfuscation by injecting malicious code into legitimate executable files. This technique makes it extremely challenging for antivirus software to detect the malware, as it appears to be a genuine application at first glance.
The service, advertised on underground forums and Telegram, charges $20 per file to pack both Windows x86 and .NET payloads. Its customer base primarily consists of operators using malware families such as LummaStealer, Remcos, and Rhadamanthys.
2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide
HeartCrypt Injecting Malicious Code
The packing process of HeartCrypt involves injecting malicious code into legitimate binaries, a method that not only disguises the malware but also tailors it to specific targets, reads Palo Alto report.
This customization is evident from the over 300 distinct legitimate binaries used as carriers for the malicious payload. Here’s how HeartCrypt works:
Payload Execution: The final payload, encrypted with a single-byte XOR operation, is decrypted and executed either through process hollowing or by leveraging .NET framework capabilities.
Stub Creation: HeartCrypt adds a block of position-independent code (PIC) to the binary’s .text section, which can execute regardless of its memory location.
Control Flow Hijacking: The original binary’s control flow is altered, often by modifying the entry point to redirect execution to the malicious PIC.
Resource Addition: Several resources are added to the binary, each with specific roles in executing the malware. These resources are disguised as BMP files but contain encoded malicious code.
Obfuscation Techniques: HeartCrypt employs multiple layers of encoding, including stack strings, dynamic API resolution, and arithmetic operations that serve no functional purpose but complicate analysis.
Anti-Analysis Techniques
HeartCrypt incorporates several anti-sandbox and anti-emulation techniques:
- Attempts to load non-existent DLLs to detect sandbox environments.
- Performs complex calculations to check for loop emulation.
- Leverages virtual DLLs to evade Windows Defender’s emulator.
The final payload is encrypted using a single-byte XOR operation with a rotating key. The packer determines whether the payload is a .NET assembly or a native executable and uses appropriate injection techniques, primarily process hollowing, to execute the malware.
HeartCrypt’s emergence as a PaaS lowers the barrier to entry for malware operators, potentially leading to an increase in the volume and success rate of malware infections. This development underscores the need for more advanced threat detection techniques and proactive threat hunting.
Security researchers have successfully extracted and analyzed payloads from HeartCrypt samples, providing valuable insights into its operations and associated malware campaigns. However, the continuous evolution of such packing services highlights the ongoing challenges faced by the cybersecurity community in detecting and mitigating increasingly sophisticated malware threats.
As HeartCrypt continues to evolve and gain popularity among cybercriminals, organizations, and individuals must remain vigilant and ensure their security measures are up-to-date to defend against these emerging threats.
Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free