Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

Dec. 16, 2024, 12:03 p.m.

Description

This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remcos, and Rhadamanthys. HeartCrypt injects malicious code into legitimate binaries and employs various obfuscation techniques to hinder analysis. The packer executes in multiple stages, using encoded resources and anti-sandbox measures. Over 2,000 malicious payloads across 45 malware families have utilized HeartCrypt, highlighting the increasing commoditization of malware development and the need for proactive threat hunting.

External References

https://github.com/PaloAltoNetworks/Unit42-Threat-Intelligence-Article-Information/blob/main/Spreadsheet-for-samples-using-HeartCrypt.csv
https://unit42.paloaltonetworks.com/packer-as-a-service-heartcrypt-malware/
https://otx.alienvault.com/pulse/675d2e0cd183cf5668a88c46
Tags
xworm
rhadamanthys
remcos
quasar rat
vidar stealer
redline stealer
process hollowing
anti-sandbox
lummastealer
2024-12-14
heartcrypt
packer-as-a-service

Date

  • Created: Dec. 14, 2024, 7:04 a.m.
  • Published: Dec. 14, 2024, 7:04 a.m.
  • Modified: Dec. 16, 2024, 12:03 p.m.

Attack Patterns

  • LummaStealer
  • Vidar Stealer
  • Remcos
  • RedLine Stealer
  • XWorm
  • Rhadamanthys
  • Quasar RAT