Packers: What’s in the Box?

Threat identification has historically been plagued with challenges such as being able to quickly understand a threat, successfully associating it with a threat family, and attributing it to a specific cybercriminal or criminal organization. Malicious threat actors often compound this challenge by putting a large roadblock right at the very beginning of any analysis process.

They do this by boxing their payloads into neat little packages before releasing them out into the vast corners of the Internet. They also utilize a plethora of packers, ranging from custom-written tools all the way to well-established professional packers (such as Themida and VMProtect) to delay the reverse engineering of their malware as well as to fool automated systems.

During our research into a variety of business and industry verticals, the FortiGuard SE team has come across a fairly new and interesting custom packer tool, first discovered last July, 2019. It is dubbed “Frenchy” because early versions of this packer created a shellcode with letters in single quotes on every other line spelling out the word “frenchy_shellcode”, followed by a version number. The latest version has removed this tag, so Figure 1 is a screenshot of an earlier version of the packer.

As with many packers, this one is obfuscated and uses AutoIT for delivery. The AutoIT script itself can be extracted either by manually reversing it or by using a third-party program such as Exe2Aut to perform the task automatically. The obfuscation layer looks like the following.

After a bit of code cleanup, however, a better picture of the packer starts to emerge. Comments in purple are translation notes used during the de-obfuscation process.

This packer is unusual in that it is able to perform specific functions that are rarely seen in most other packers. That’s because most packers don’t typically contain functions that do anything except unpack. While some may include one or two additional tools, no other well-known packer does all the things that Frenchy does, largely because none of these functions are directly related to the unpacking process. For example, Themida has an anti-VM function, but it does not handle installation or include any UAC bypasses. This packer, however, includes a custom installation routine for the actual malware by creating a shortcut inside the user’s startup directory to achieve persistence. It also creates a VisualBasic script in an arbitrary folder inside the user’s profile directory. And it copies itself to that same arbitrary folder as well. The packer ties all these seemingly separate events into the following installation routine. 

As further evidence that this isn’t a normal packer, and to make detection harder, this packer also doesn’t store its shellcode inside the AutoIT script. Instead, it places most of it in other resources. Moreover, depending on the type of resources used, the packer will choose a different legitimate Microsoft executable to inject itself into, and it has even been known to use process hollowing (https://attack.mitre.org/techniques/T1093/).

To make analysis even more difficult, this packer has also implemented some basic anti-VM checks. Namely, it checks for both "vmtoolsd.exe" and "vbox.exe", and if found, the malware is not installed. These checks are not as involved as some employed by other packers, such as Themida – mentioned above, the inclusion of this anti-VM check is more likely aimed at thwarting automated analysis.

Another interesting technique found in this packer is the inclusion of not one, but two UAC bypasses. For those infected machines that are running Windows 7 or 8, the threat can also use the event viewer UAC bypass trick, while for those running Windows 10, the packer will bypass UAC through the use of fodhelper.

We can see that the author of this fairly new packer has incorporated several new techniques, many of the unusual for a tool of this kind, though some of these functions are beginning to show up in other packers as well. As the threat landscape widens, packers such as this one are expanding their ability to exploit new opportunities by growing in sophistication. Threat researchers have already seen the new “frenchy” packer being used by different malware families, such as LimeRAT, Tesla, and in this case, Lokibot (SHA-256: E5D9C9C78ABB247C30E3E9BBD5103CD559FD54C9C616237DEC896DD42908449A).

Solution

Fortinet customers are safe from this threat and other similarly-packed malware as we detect them as AutoIt/Injector.ELI!tr.

Learn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly FortiGuard Threat Brief.

Read about the FortiGuard Security Rating Service, which provides security audits and best practices.